Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19491
Views
5
Helpful
16
Replies

Getting AnyConnect to work on demand on the iPhone

MikeM-2468
Level 1
Level 1

‎04-01-2011 09:05 AM - edited ‎02-21-2020 05:15 PM

I've got certificate based authentication working on the iPhone with AnyConnect and my ASA.  Now I need to get the on demand function to work.  AnyConnect is configured to use certificates, the certificate is selected and connect on demand is turned on. I have my internal domain added to always connect.  As a test I'm trying to access one of the web servers in the domain via Safari on the iPhone.  It appears to recognize that the VPN is needed, but I get the message "The VPN connection requires an application to start up."  My only option is to tap OK and then I get the Safari can't open page message.  Using a ping tool, it never tries to initiate the VPN.

Labels:
0 Helpful
16 Replies 16

MikeM-2468
Level 1
Level 1
In response to tj.mitchell

‎04-01-2011 12:10 PM

Thanks for the reply.  Connect on demand rules are pretty simple.  That's not the issue.  I've checked to be sure, and that's not the problem.

0 Helpful

MikeM-2468
Level 1
Level 1
In response to MikeM-2468

‎04-03-2011 09:34 AM

The solution was in setting a VPN group url on the ASA and changing the server address in the AnyConnect config to the VPN group url.

0 Helpful

Jeff Poblocki
Level 1
Level 1
In response to MikeM-2468

‎02-18-2012 06:34 AM

Hey Mike. I'm having the same problem. Can you explain your solution a little further. Thanks!

0 Helpful

MikeM-2468
Level 1
Level 1
In response to Jeff Poblocki

‎02-18-2012 01:27 PM

On the ASA, you setup the AnyConnect Connection Profile.  In there, you have Advanced -> SSL VPN.  You need the Group URL set to something like https://ssl.domain.com/anyconnect.  Then in your AnyConnect client on the iPhone, you set the server address to ssl.domain.com/anyconnect.

Do you already have the other stuff like the certificate installed on the phone and the CA on the ASA?

0 Helpful

bogdan.badiu
Level 1
Level 1

‎03-13-2012 03:00 PM

Hi,

I have the same nasty message: "the vpn connection requires an application to start up".

In my opinion, this happens due to the following reasons:

-> Auth with user / pass is required;

-> At this moment, I think you can not do any of the following:

  ---> save the password for AnyConnect as you do with with Easy VPN Client ( IPSEC Client):

"

Q. Is it possible to save the password credentials on AnyConnect so that it will not request authentication from the user (password storage feature)?

    A. No, it is not possible to save the password credentials on AnyConnect.

"

  The above Q&A is taken from

http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml (the 26th of July 2011)...

  ---> the Anyconnect client can not launch an iOS popup in order for you to enter the credentials ...

All the above is true for ASA 8.0.5 and iOS 5.1 ...

BR,

Bogdan

0 Helpful

bogdan.badiu
Level 1
Level 1
In response to bogdan.badiu

‎03-13-2012 03:21 PM

Hello,

I have tested with only "authentication certificate" under tunnel-group XXX webvpn-attributes (it was "authentication aaa certificate" until now) and connect on demand is working ...

So it seems that my previous suppozition is right ...

But this solution is NOT OK for me ...

BR,

Bogdan

0 Helpful

klondike
Level 1
Level 1
In response to bogdan.badiu

‎05-01-2012 09:50 PM

Hi Bogdan,

Just got iPAD with iOS 5.1 and ran exactly into the same issue as you described above. Only "auth cert" works for VPNoD with AnyConnect. Leaving me out of my RADIUS user level control... Not good. BADDD!!!

Anyone found a solution so far?

Regards,

Dimitry

0 Helpful

mattvlasach
Level 1
Level 1
In response to klondike

‎06-18-2012 02:22 PM

Ya, seeing the same thing.  Looks like the "certificate" validation only does normal crypto and revokation validation of the presented certificate, but doesn't touch RADIUS for authentication.  In our configuration, specifying "Both" for the authentication policy requires the user to provide user/pass credentials, and then those get passed to RADIUS.

This is bad from a security standpoint because it just validates that the connecting user has a valid certificate, not that it belongs to a valid/active/authorized user (unless it has been revoked and CRL is working correctly to the ASA).  From a user experience requiring a user auth is bad because now the user has to open the AnyConnect client to authenticate instead of connecting stealthly like VPNoD is supposed to do.

The root problem is that it appears that the Cisco ASA doesn't support PEAP/EAP which is required to pass a certificate via RADIUS for authentication.... I am validating this with Apple and Cisco to see what options really exist besides the current sub-par one.

0 Helpful

Acruzgreg
Level 1
Level 1

‎07-18-2012 05:15 PM

Hi Mike,

I need implement de same solution, at this momento I have problem with certificate based in authentication, I configured the asa CA Server mode, and I imported the certificate client to IPhone, but when I connect to the anyconnect VPN cant autenticate with certificate and I request the user and pasword...

can you help me with yours coments please.

thanks  in advanced

0 Helpful

MikeM-2468
Level 1
Level 1
In response to Acruzgreg

‎07-19-2012 04:06 AM

Did you set and are you using the group URL?

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Acruzgreg

‎07-19-2012 06:13 AM

Hi,

In case you already have the ASA properly as the LOCAL CA server and the iPhone already has the certificate installed please attach the following log output from the ASA during a connection attempt.

debug crypto ca 255

Thanks in advance.

0 Helpful

Acruzgreg
Level 1
Level 1
In response to Javier Portuguez

‎07-19-2012 08:50 AM

Hi,

In the authentication in the ASA CA server I using Manual certificate Retrieval,

I Atacched  the logs of  "debug crypto ca 255"

thank for you help

%ASA-6-725001: Starting SSL handshake with client outside:189.253.X:X/2219 for TLSv1 session.

%ASA-7-725010: Device supports the following 4 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA

%ASA-7-725011: Cipher[2] : AES128-SHA

%ASA-7-725011: Cipher[3] : AES256-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA

%ASA-7-725008: SSL client outside:189.253.X.X/2219 proposes the following 6 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-MD5

%ASA-7-725011: Cipher[2] : RC4-SHA

%ASA-7-725011: Cipher[3] : DES-CBC-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA

%ASA-7-725011: Cipher[5] : AES128-SHA

%ASA-7-725011: Cipher[6] : AES256-SHA

%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:189.253.X.X/2219

%ASA-7-725014: SSL lib error. Function: SSL3_READ_BYTES Reason: sslv3 alert certificate unknown

%ASA-6-725006: Device failed SSL handshake with client outside:189.253.X.X/2219

%ASA-7-710005: TCP request discarded from 189.253.X.X/2219 to outside:200.57.X.X/443

%ASA-6-725001: Starting SSL handshake with client outside:189.253.X.X/50445 for TLSv1 session.

%ASA-7-725010: Device supports the following 4 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA

%ASA-7-725011: Cipher[2] : AES128-SHA

%ASA-7-725011: Cipher[3] : AES256-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA

%ASA-7-725008: SSL client outside:189.253.X.X/50445 proposes the following 6 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-MD5

%ASA-7-725011: Cipher[2] : RC4-SHA

%ASA-7-725011: Cipher[3] : DES-CBC-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA

%ASA-7-725011: Cipher[5] : AES128-SHA

%ASA-7-725011: Cipher[6] : AES256-SHA

%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:189.253.X.X/50445

%ASA-7-717025: Validating certificate chain containing 1 certificate(s).

%ASA-7-717029: Identified client certificate within certificate chain. serial number: 0F, subject name: cn=acruz.

%ASA-7-717030: Found a suitable trustpoint LOCAL-CA-SERVER to validate certificate.

%ASA-6-717022: Certificate was successfully validated. serial number: 0F, subject name:  cn=acruz.

%ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.

CERT API thread wakes up!

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

%ASA-6-725002: Device completed SSL handshake with client outside:189.253.X.X/50445

CRYPTO_PKI: looking for cert in handle=3d4a45b8, digest=

94 e1 e9 61 b2 59 1c 72 74 22 96 ed d6 65 82 8e    |  ...a

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Storage context locked by thread CERT API

CRYPTO_PKI: Found a suitable authenticated trustpoint LOCAL-CA-SERVER.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.

CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 0F, subject name:  cn=acruz.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation checkCERT API thread sleeps!

%ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.

%ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.

CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.

CRYPTO_PKI: No Tunnel Group Match for peer certificate.

%ASA-6-725007: SSL session with client outside:189.253.X.X/50445 terminated.

%ASA-6-725001: Starting SSL handshake with client outside:189.253.X.X/1381 for TLSv1 session.

%ASA-7-725010: Device supports the following 4 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-SHA

%ASA-7-725011: Cipher[2] : AES128-SHA

%ASA-7-725011: Cipher[3] : AES256-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA

%ASA-7-725008: SSL client outside:189.253.X.X/1381 proposes the following 6 cipher(s).

%ASA-7-725011: Cipher[1] : RC4-MD5

%ASA-7-725011: Cipher[2] : RC4-SHA

%ASA-7-725011: Cipher[3] : DES-CBC-SHA

%ASA-7-725011: Cipher[4] : DES-CBC3-SHA

%ASA-7-725011: Cipher[5] : AES128-SHA

%ASA-7-725011: Cipher[6] : AES256-SHA

%ASA-7-725012: Device chooses cipher : RC4-SHA for the SSL session with client outside:189.253.X.X/1381

CERT API thread wakes up!

%ASA-7-717025: Validating certificate chain containing 1 certificate(s).

%ASA-7-717029: Identified client certificate within certificate chain. serial number: 0F, subject name: cn=acruz.

%ASA-7-717030: Found a suitable trustpoint LOCAL-CA-SERVER to validate certificate.

%ASA-6-717022: Certificate was successfully validated. serial number: 0F, subject name:  cn=acruz.

%ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.

%ASA-6-725002: Device completed SSL handshake with client outside:189.253.X.X/1381

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

%ASA-7-717036: Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.

%ASA-4-717037: Tunnel group search using certificate maps failed for peer certificate: serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.

CRYPTO_PKI: looking for cert in handle=3d4a45b8, digest=

94 e1 e9 61 b2 59 1c 72 74 22 96 ed d6 65 82 8e    |  ...a

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Storage context locked by thread CERT API

CRYPTO_PKI: Found a suitable authenticated trustpoint LOCAL-CA-SERVER.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.

CRYPTO_PKI:check_key_usage:Key Usage check OK

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 0F, subject name:  cn=acruz.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation checkCERT API thread sleeps!

CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.

CRYPTO_PKI: No Tunnel Group Match for peer certificate.

%ASA-6-725007: SSL session with client outside:189.253.X.X/1381 terminated.

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to Acruzgreg

‎07-25-2012 06:45 AM

Hi,

The ASA cannot find a tunnel-group for this session:

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 0F, subject name:  cn=acruz.

CRYPTO_PKI: Storage context released by thread CERT API

CRYPTO_PKI: Certificate validated without revocation checkCERT API thread sleeps!

CRYPTO_PKI: Attempting to find tunnel group for cert with serial number: 0F, subject name: cn=acruz, issuer_name: cn=mobile.domain.com.

CRYPTO_PKI: No Tunnel Group Match for peer certificate.

We have three options:

1- Group URL's.

2- Group Alias.

ASA 8.x: Allow Users to Select a Group at WebVPN Login via Group-Alias and Group-URL Method

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

3- Certificate mapping.

Certificate mapping to AnyConnect tunnel-group

http://itsecworks.wordpress.com/2011/07/15/certificate-mapping-to-anyconnect-tunnel-group/

It's up to you which one to use, perhaps the group-url would be the easiest one.

Let me know.

Thanks.

Please rate this post if you find it helpful.

Customers Also Viewed These Support Documents