07-13-2010 02:28 AM
hi there,
can someone guide me how can I setup ASA for our IPAD client for PKI (digital certificate authntication)? Our IPAD user shouldn't need to input any user/password for connect our vpn. I want to install certificate on both side and let them authnticate.
is there any other way to do it?
can I do it with self sign certificate? or
do I need to buy a third part certificate?
any configs links and exmaple would be appreciated.
regards,
Syed,.
07-13-2010 05:07 AM
Check out Apple's deployment guide for the ipad
http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf
It cover's the requirements for the ipad/iphone.
For certificate authentication, you can follow this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
You should use these ipsec/isakmp settings, minus the 'mode transport' for the vpn client:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219
And obviously change your isakmp policy to not use pre-shared key.
--Jason
07-14-2010 05:36 AM
Jason, Many thanks for your help.
I'm not sure what's worng with my config, group-policy and tunnel-group are working. I can get my IPAD working fine with local authentication but it use the crypto map for diffrent group. for expamle i created two crypto map 100 and 200. But when I run show cry ip sa command i see the that crypto map tag is use for 100 which is for another type of client vpn group.
I've uploaded cert. on IPAD but I'm unable to get authenticated via it? can u tak a look on attached config and below some show commands results, and let me know how can i correct my configs so IPAD can use certificate authentication instead of local.
Regards,
Crypto map tag: Remote_VPN, seq num: 100, local addr: 195.59.149.185
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.20.202.2/255.255.255.255/0/0)
current_peer: 195.59.149.180, username: cisco
dynamic allocated peer ip: 10.20.202.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.59.149.185/4500, remote crypto endpt.: 195.59.149.180/12050
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0990CB50
inbound esp sas:
spi: 0x4DA962C6 (1302946502)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1925120, crypto-map: Remote_VPN
sa timing: remaining key lifetime (sec): 3594
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0x0990CB50 (160484176)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 1925120, crypto-map: Remote_VPN
sa timing: remaining key lifetime (sec): 3594
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Username : cisco Index : 465
Assigned IP : 10.20.202.2 Public IP : 195.59.149.180
Protocol : IKE IPsecOverNatT
License : IPsec
Encryption : 3DES AES128 Hashing : SHA1
Bytes Tx : 223 Bytes Rx : 2212
Pkts Tx : 2 Pkts Rx : 36
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : IPAD_VPN Tunnel Group : IPAD_VPN
Login Time : 10:23:35 GMT/BST Wed Jul 14 2010
Duration : 0h:06m:17s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKE Tunnels: 1
IPsecOverNatT Tunnels: 1
IKE:
Tunnel ID : 465.1
UDP Src Port : 12198 UDP Dst Port : 4500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 3600 Seconds Rekey Left(T): 3230 Seconds
D/H Group : 2
Filter Name :
Client OS : iPhone OS Client OS Ver: 3.2
IPsecOverNatT:
Tunnel ID : 465.2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.20.202.2/255.255.255.255/0/0
Encryption : AES128 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 3600 Seconds Rekey Left(T): 3228 Seconds
Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes
Bytes Tx : 223 Bytes Rx : 2212
Pkts Tx : 2 Pkts Rx : 36
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 373 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide