Shiling,

You do need the AnyConnect for Mobile license in order to activate the feature (it's not a per seat license).

The license is

ASA-AC-M-55XX

where the 'XX' is the last 2 digits of your ASA model number - so for your ASA 5540 you would need an ASA-AC-M-5540 license.

You can read more about licensing here:

http://www.cisco.com/en/US/customer/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html

Or check the AnyConnect FAQ:

https://supportforums.cisco.com/docs/DOC-1361#Q_How_does_the_mobile_license_workordered

Shaun,

This error would seem  that you don't have the Root and/or Intermediate certificate(s) installed on the ASA and iPhone.

When doing certificate authentication, the ASA sends a message to the client (in this case, the iPhone) to tell the client what CA certificates the ASA  has installed so the client can choose what certificate to send to the ASA.

This error message seems to indicated that the ASA either doesn't have a CA certificate installed, or that the CA certificates being presented to the client don't match as being the issuer of the client's certificates, so it doesn't know which certificate to send to the ASA.

Check to make sure your phone and ASA have an ID certificate as well as the CA certificate of the Windows 2008 server that issued them installed.  If that looks correct, or if you still have issues after installing them:

Gather debugs on the ASA at the following levels from a connection attempt:

debug cry ca transaction 127

debug cry ca messages 127

debug cry ca 127

That should tell you why any PKI is failing.  If not, connect the ASAs running-configuration and I can take a look at the configuration to see if there is a misconfiguration.

--Jason

Hi Jason,

Here is what the debug output is showing:

# CERT API thread wakes up!

CRYPTO_PKI: Sorted chain size is: 1

CRYPTO_PKI: Found ID cert. serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B

CRYPTO_PKI: Verifying certificate with serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer_name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US.

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI(Cert Lookup) issuer="cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US" serial number=01 8e 7e bc 05 48 b5 28 42 5e                      |  ..~..H.(B^

CRYPTO_PKI: looking for cert in handle=ac78c848, digest=

f5 07 78 fc f6 99 ff 89 96 e1 3e cf a1 a4 75 11    |  ..x.......>...u.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US .

CRYPTO_PKI: No suitable TP status.

CRYPTO_PKI: cert validation failed to find trustpointCERT API thread sleeps!

On our iOS device, under the following:

General > Profile(name of profile used in iPhone Config utility--for SCEP) > *Profile* > More Details:

Signing Certificate:

iPhone Configuration…(text cut off)

Issued by: iPhone Configuration.... (text cut off)

Certificate:

(shows all the info issued from our internal CA)

On our internal CA it does show the certificate issused successfully along with a cert issued to the ASA.

However, I did notice this, not sure if it matters, when I exported the SCEP profile from the iPhone Configuration Utilty, I had the following turned on:

Iphone Configuration Utility:

Export Connfiguration Profile

Security: Signed Configuration Profile

Would the "Security" need to be set for "None" on the export?, would that be an issue?

I've attached a screen cap for a little better explaination of what is on my iOS device.

Thanks

Hi Jason,

I have this working now. I had the certs all messed up.  Once I redid all the certs things are working like a charm.

I used a Web Server cert on the ASA and a Client cert on the Apple devices.

Things are working great.

Thanks!

Clausonna,

You won't be able to do a pre-login check with clientless and the iPhone as CSD/hostscan is not supported on the iPhone currently - which means no AES as well.  You can do certificate authentication, though.

AES/CSD is supported on the MAC.

--Jason

Ok, but does an iPhone/iPad 'look' the same to the Pre-login policy?  Or are you saying that those devices just bypass Host Scan / Pre-login entirely, and just jump right to the authentication part?  How does that affect DAP?

I guess I'm concerned that a OSX Mac could connect but somehow bypass the pre-login checks if its able to spoof itself as an iPhone.  I also want to set myself up for the point where I have 'managed' and 'unmanaged' iPhones that VPN in, and have the ability to assign one policy / ACL / DHCP pool / whatever to the two different 'types' of devices.

Thanks.

clausonna,

pre-login:

iphone bypasses the pre-login policy (similar to if you cancel out of all the downloads to prevent hostscan from running on a pc) - you will be able to login with the iphone but it will not return any of the hostscan values due to not running hostscan.

DAP:

DAP isn't affected per se - it just won't return hostscan values other than AAA values (if using clientless).  Anyconnect will return, after login, the following:

endpoint.os.version="Apple Plugin"

If you bypass hostscan, I'm not sure how you would masquerade as another OS type - the OS detection doesn't appear to be using the HTTP user agent for checking.  I can try to find out how we check for the OS if hostscan is not running - but the information may be proprietary.

As far as managed vs unmanaged iphone types - there is not really any way without hostscan to tell one iphone from another, you'd have to either set up a different tunnel group for your managed vs unmanaged iphones, but that depends on the users to make a decision.

Jason - I'm also trying to get my DAP policies to get a match on the LUA EVAL statement. When I turn on DAP debugging (error and trace) I see the following:

DAP_TRACE: dap_add_csd_data_to_lua:endpoint.feature="failure"
DAP_TRACE: name = endpoint.feature, value = "failure"
DAP_TRACE: dap_add_csd_data_to_lua:endpoint.os.version="Apple Plugin"  <<-----------
DAP_TRACE: name = endpoint.os.version, value = "Apple Plugin"
DAP_TRACE: Username: xxxxxx, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: xxxxxx, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: xxxxxx, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: xxxxxx, DAP_close: 761406E8

I've tried to get the Lua to match using the exact same string that I see coming back from the debug. My Lua check looks like this:

EVAL(endpoint.os.version, "EQ", "Apple Plugin", “STRING") I've also tried "NE" just trying to get something to match but it doesn't seem to match even when I use the NE value even though I'm using the exact returned value.

For this specific check (I have several other checks) I have no other entries in this specific DAP policy, such as checking for a AAA attribute or endpoint attribute, just this one lua check and it keeps coming back as failing so my connection fails. I really need to match on something unique on the iPad, just having a hard time finding something that makes it unique.

I have a cert on the machine that I was trying to do some cert to ssl vpn connection profile mapping but was not able to get that to work either. I'm about out of ideas on this one...

Thanks,

Bruce

Bruce,

2 things - this check won't work if you're using an anyconnect essentials license.

It can also be related to the  the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=csctj46900

Which is fixed in the 8.2(4),  8.3(2)13  and 8.4(1) code on CCO.

--Jason

Thanks Jason for the response. I am running the Essentials licsense, and thanks for the update on the bug. I'm probably running into this one because I am running 8.3(2)12. I'll probably try to get the 8.4(1) version which is on the download page. Are there any other issues with DAP in 8.4 that I should be aware of from a DAP standpoint? I'll review the release notes and if it looks good probably get this upgraded and tested. Thanks again.

Bruce