I want to implement the Cisco Anyconnect Client on our IPhones in order to use the Cisco Mobile 8.1 via Wifi / 3G
What I'm looking for is:
1) The the VPN connection doesn't require an user interaction to connect. I think this can be accomplished by using Certificate Auth. Is that right?
2) I need the VPN to reconnect automatically if the connection is lost. The anyconnect has the "reconnect feature". Does it works on the Iphone?
If you can provide any good "quick" guide to setup "Certificate Auth" for the Anyconnect I will be very happy!
Solved! Go to Solution.
I've investigated on this matter for some time, and here are the results and the information you need:
Objective: Use the IPhone with Cisco Jabber (ex Cisco Mobile 8.x) connected by VPN automatically.
In order to achieve this you need:
1) An Iphone, or Android based phone
2) A Cisco ASA (anyconnect for mobiles is not supported on ISR's)
3) The license Cisco Anyconnect Mobile for ASA (L-ASA-AC-M-55XX). This license is necesary in order to accept ssl vpn connections from mobile devices
4) You should also have SSL VPN Licenses installed on the ASA. For example Essential (L-ASA-AC-E-55XX=)
So, first thing you need is an ASA. The 5505 should be ok (but with the additional licenses i've mentioned above).
In order to achieve a VPN that is automatically connected on demand, and that doesn't ask for "user and pass", you need to config the usage of Certificates for authentication.
Here is the main steps:
1) You need a certificate for the ASA. When you try to connect through an SSL VPN, the ASA "offers" his own Digital Certificate in order to proove his identity. The right way to do it is to buy a certificate from a trusted certificate authority (ex: godaddy). For that kind of certificates you need to pay. So, for testing purpouses, you can also use a self-signed certificate (you can generate it from the ASA directly). The problem with this kind of self-signed certificates is that when you try to connect you will get a warningn saying that the identity cannont be verified, etc
2) For the clients (mobiles) that are going to connect and authenticate with a certificate (remember that you don't want to use user and pass, so the connection is totally automatic and there is no need for the user interaction) you need to generate a certificate. Thus, a certificate authority is needed. That role can be accomplish by the ASA itself, by a Windows Sercer CA, etc.
3) You need to config the SSL VPN on the ASA, with all the usual parameters. The only diference is that you need to config it to authenticate only by certificate
4) You need to install the certificate on the IPhone, install the Anyconnect client on the Iphone and config it
5) In order to use the "autoconnect" feature, you need to specify on the anyconnect client the URL. So when the phone tries to reach that URL the vpn will be connected.
Here is some usefull info:
How to config VPN on demand for Jabber
How to Guide - Cisco ASA SSL VPN using certificates for 2-factor Auth
Iphone in business
And here's the config i used on an ASA5505:
Hope it helps!
thank you for your full description.
i check with cisco agent in our country , he tell me that i need ASA5505-SEC-BUN-K9 bundle to support anyconnect i dont know way , the price diferant than ASA5505-BUN-K9 , it's around duble and i need the ASA only for VPN on-demand for iphone and ipad , i see some sites that VPN on-demand can work with IOS Cisco router on base certificate auth.
so my question is normal ASA5505-BUN-K9 with 2 licence can help me to make it Anyconnect on iPhone ?
Hi Martin - For testing I am using self made certificate. With that it always says warning.& after that it asks me username & password.
Is there any way for the testing i can bypass to input username & password.
Can i use test certificate to authenticate & bypass username & password input.
How is this possible.
Also you mentioned the client should be configured for any connect URL. where should i specify this.
where can we access the above dropbox links, seems there is some great information included in the docs but unfortunately the links are no longer active???
Appreciate your help
im looking to same solution you post , if you can help me some point :-
i have router 1811 with ios 12.4 and i dont have ASA , if you sucssed what you looking what the equiment you have for it.
i dont need to buy ASA , but if it's important im looking for normal one ASA5505-BUN-K9 just for this point .
can you post your config please .
Thank you for your help .
sorry for my bad english language .