Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4471
Views
0
Helpful
1
Replies

iPhone VPN configuration with Certificates, SCEP - Solution overview

Benjamin Waldon
Level 1
Level 1

‎06-15-2011 05:52 PM

Hello,

I am embarking on a project that I would like to get some feedback on.

We are in the process of implementing iPhones into our network. We are running Exchange 2007 and the Cisco ASA 5510. The Exchange server is behind the ASA & we are not performing any port forwarding. Nor am I open to doing the port forwarding. So, the iPhone is going to run a VPN. Most likely, we will run the Anyconnect VPN client. I have this and it is working fine.

However, we have to manually connect to the VPN, put in the domain password, and connect before we can check our email. This is cumbersome. So, I am trying to use certificate based authentication and the iPhones “connect on demand” feature.

I have read about a number of people using a Windows Server and running Certificate Services & Network Device Enrollment Service. This uses a protocol called SCEP – Simple Certificate Enrollment Protocol. The idea is that the iPhone would be issued a certificate by the windows server. Then, when it went to connect to the VPN, it would present the certificate as credentials to the ASA. The ASA would send the certificate to the windows server and the windows server would tell the ASA if it’s good. If the windows server said it was good, the ASA would then allow the VPN to connect.

I have the Certificate Authority (windows server 2008 R2) installed and running. However, I am encountering some trouble getting the iPhone to get the certificate from it. I have read a number of white papers and forum postings from Microsoft, Cisco, and Apple. Some indications are that it’s feasible, but I am crossing a lot of technologies that are new to me and I am not sure if I am working uphill or what.

My questions are…

1). Is this is known configuration? Have you seen this configuration before? Was it successful?

2). Does this sound feasible? Is there a more feasible way to provide VPN connectivity? The goal is to open the VPN from the phone when they open the email application, without having any user interaction.

3). Within the Microsoft Certificate Services server, am I going to be able to manage the certificates individually and identify jim’s certificate separate from sally’s certificate? Or, sally’s iphone certificate seperatley from sally’s ipad certificate?

4). Do you know of any good documentation on this? I have read a number of articles and white papers. But, for some reason, there still seems to be something lacking. Seems like all the established documentation only addresses one aspect of this.

5). From the Cisco perspective, do I need to do this through the Anyconnect client or can I do this through IPSEC. If I do it through IPSEC, am I still going to run into issues with a self signed certificate on the ASA?

At any rate, any comments or suggestions in regards to the above would be much appreciated.

Labels:
0 Helpful
1 Reply 1

jonrojas
Level 1
Level 1

‎06-17-2011 09:14 PM

Hello Benjamin,

Here I do my best to answer your questions:

1)  Not that I have seen, you are trying to mix several features available  into one complex network which doesn't mean it is impossible to do.

2)  If you want your users to have close to no interaction with the VPN  client then this is the way to go, all they will have to do is to enroll  their devices one time and then just go and click connect each time  they want to access your internal resources via the tunnel.

3)  Indeed each device has its own certificate, you will be able to  identify them by the subject name that was specified by the phone at the  moment of making the request, that would be part of the phone  configuration so that's pretty much all I can tell. In the server you  will have the option to check the issued and revoked certificates so  that you can have some control over it.

4) The  documentation most of the times only provide the way to configure on a  basic basis, if you want to go deeper it would be a better idea to read  the release notes for the devices, features, etc and experiment your  self. Also forums like this one help a lot since they might be other  people trying to accomplish ideas similar as yours. As well it is better  to look for the documentation on a small range basis, for example,  first looking how to configure the ASA to use SCEP, how to configure the  IPhone to use it, etc, since this will help you bringing it all  together instead of confusing you more.

5) Easy answer,  the way to go is AnyConnect. SSL is a new technology which gets updated  more constantly and provides a lot more features than the IPSec client.

By the way when authenticating the user using its  certificate the ASA won't talk to the server, instead it will take all  the data, but the signature, in the IPhone's certificate and will pass  it through a hashing algorithm using the private key of the server,  comparing its result with the signature of the IPhone's certificate, if  both match then the certificate is valid.

I found the  following pdf file from Apple explaining how to make the IPhone to  enroll using SCEP and how this works for the devices:


IPhone SCEP documentation

If there is anything else I can help you with please let me know.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents