Showing results for 
Search instead for 
Did you mean: 

IPAD Cisco VPN Client certificate authentication?

Hi there,

We've successfully integrated IPAD into our business recently. The IPAD VPN works great over token, radius and local authentication. But now we need to authenticate vpn client via digital certificate (only vpn authentication between client and gateway)? I'm not sure which certificate we should buy to authenticate vpn client.The plan is to install digital certifiacte on VPN Gateway (CISCO ASA 8.0.4) and IPAD Cisco IPSec client to eliminate user/pass authentication.

can someone please advice urgently?

Thanks in advance.



Marcin Latosiewicz
Cisco Employee


You don't NEED to buy a certificate to do IPsec VPN.

If you have a windows server it can be a CA and provide certifcates, also IOS can be quite decent CA.

In fact if you were considering running SSLVPN ASA itself can server as a CA.


Many Thanks,

Do I need to create certificate for authentication between two devices? What if I'm using ASA as CA ?

any resource link would be really appreciated.




You need one certificate for each side, signed by a trusted third party.

This is how it should work:

There is of course no separate link to ipad since we don't support it yet.


Hi Marcin

Could you answer a couple of questions for me.

1.     I know the ASA side needs a certificate with the intenetion of authenticating itself to the client. Why does it need to authenitcate?  if yuor a normal user then you know you want to connect, if your a hacker then you want to connect just as equally.  Is it really just a peace of mind thing?  Im just trying to understand the reason the server (ASA) really needs to authenticate

2.     If I use an internal CA such as Microsoft wont the Ipad\iPhone need to have that CA's key chain etc installed so it will automatically trust the cert the ASA is presenting  Assuming im not using SCEP or any other form of auto enrollment I assume I could add it using the iphone config utility?

3.     Even though im using cert to authenticate, do i still have to create a user object for each user in the ASA?  Seems a little admin intensive to me



1)  In IPSEC, if you use certificate authentication, you both have to have certificates to mutually authenticate each other.  If using SSL, the ASA needs a cert so that you can encrypt data going to/from the ASA.

2)  Yes - if you don't you'll get one of those annoying cert errors saying that the certificate couldn't be verified because it wasn't issued by a trusted CA

3)  You can do certificate only authentication for remote access VPN without creating user IDs.

Thanks Jason,

That all makes sense and was kind of what I was thinking already just wanted to get some confirmation.  One thing you could hlep me with.  You said I can do Cert auth and not need user IDs.  How exactly do i go about configuring that?  I have looked thorugh ASDM (I admit im still fairly new to it) and couldnt get the feel for how to setup cert auth.

Another question on Cert auth.  I assume that the ASA will check the valididty of the cert presented by the client by checking the usual things like expiry, CRL etc?  Yes or No is good enough answer

And one more thing, can the server cert and the client auth certs be issued from 2 different CAs.  E.g. my server cert is issused by a public CA like Entrust so I know it will be autoamtivally trusted by the client and then use my own internal Windows PKI to generate the user certs to keep the cost down?  How does the end client (in my case an Ipad using the built in Cisco IPSec client) know which cert to present (if i have more than one on the device)


Can someone expand on this subject; we have a similar setup but my knowlege of certs is not that great. We have MS CA setup for the IPSEC client using IE to install the needed certificates on the PC. How would we get the certs on the IPAD ?



I got this to work, there was a Xauth setting that I had to turn off to stop it from also asking for user credentials and it worked perfectly.  It recognised the cert and verified it was issed by the CA I setup in the conifg.

However this raises a bit of a concern.  Say I use a public CA e.g. Verisign to provide a server cert and also have thme generate the client auth certs aswell.  Now wouldnt that let anyone (from my company or not) connect to my VPN if they also have a client auth cert from the same public CA?  I think this becuase I am not specifically identifying the user on something the user "knows".  Yes I know this is not 2 factor but thats just how they want to do it.

Can I set something in my ASA to look at th eclient cert and verifiy that it belongs e.g. look for my compnay name or even better the issued to User and I keep a list of the allowed users somewhere on the ASA.



i have successfully installed my certificate issued by my internal CA and when dialling the VPN i get an error in the debug logs below..

peer ID type 11 received (Unsupported)

I have searched on the net as to what this could mean but I have not found anything.

I can only think that the type of certificate that I am creating is not the correct type of certificate to use for VPN authentication.

Does anyone know whether I need to be generating a specific type of certificate? Currently i just go on a windows server and generate a CSR using IIS. Not sure if that is the correct way of doing this though.