{"id":147,"date":"2013-11-25T15:18:43","date_gmt":"2013-11-25T15:18:43","guid":{"rendered":"http:\/\/iddles.co.uk\/blogs\/?p=147"},"modified":"2013-11-25T15:18:43","modified_gmt":"2013-11-25T15:18:43","slug":"native-apple-ios-client-and-android-client-to-cisco-asa-vpn-using-certificate-authentication-part-3-asa-side","status":"publish","type":"post","link":"https:\/\/iddles.co.uk\/index.php\/2013\/11\/25\/native-apple-ios-client-and-android-client-to-cisco-asa-vpn-using-certificate-authentication-part-3-asa-side\/","title":{"rendered":"Native Apple iOS Client and Android Client to Cisco ASA VPN using Certificate Authentication Part 3 &#8211; ASA Side"},"content":{"rendered":"<p>So based on the last post, you can now start to configure the ASA to support Apple IOS and Andoid devices.<br \/>\nFirstly we need to add an IKEv1 policy to allow the IKE Phase 1 to establish:<\/p>\n<pre style=\"padding-left:30px;\">!Andoid\ncrypro ikev1 policy 10\n authentication rsa-sig\n encryption aes-256\n hash sha\n group 2\n lifetime 28800\n!IOS\ncrypro ikev1 policy 12\n authentication rsa-sig\n encryption aes-256\n hash sha\n group 5\n lifetime 3600<\/pre>\n<p>This allow the device to at least connect to the ASA to authenticate.<br \/>\nThere is an assumption that your ASA already has installed and trust&#8217;s the CA&#8217;s that the client device certificates are issued by.\u00a0 This is out of scope for here however its imperative that this is in place.\u00a0 Its also crazy if you havent got CRL processing in place but you should know that as well.<br \/>\nFrom a ASA profile perspective its simple.\u00a0 As stated before both Andoid and IOS only support IKE v1 so you have to create IKEv1 profiles for these connections.\u00a0 The strange part of defining an IKEv1 profile is that is has to have a AAA entry set.\u00a0\u00a0 In my case I normally define a new AAA group that has no authentication.<\/p>\n<pre style=\"padding-left:30px;\">aaa-server NO_USER_AUTH protocol http-form<\/pre>\n<p>This can then be applied to a new profile.\u00a0 Its not used for authentication (remember &#8211; you are using Cerificates only) thus<\/p>\n<pre>tunnel-group IOSandAND type remote-access\ntunnel-group IOSandAND general-attributes\n ! Clients will use addressing from the named pool shown\n address-pool IOSandAND-Pool\n ! Dont use any client authentication (other than Certificate)\n authentication-server-group NO_USER_AUTH\n ! Group policy applied for connection\n default-group-policy GP_IOSandAND\ntunnel-group IOSandAND ipsec-attributes\n ! Define CA that client connections will be signed by\n ikev1 trust-point MyCA.key\n ! Define no user authentication\n ikev1 user-authentication none<\/pre>\n<p>Depending on if you use DAP etc (and you really should) you will have to add basic policy to allow Andoid and IOS devices to connect.\u00a0 There are no posture checks availible for native clients due to what the clients expose.\u00a0 If you want to do this then the client will need to use the AnyConnect client (free), will need a AnyConnect Mobility licence for the ASA (circa \u00a3500) and you can then use IKEv2 which negates a lot of this configuration.<br \/>\nAnyway hope it helps some of you<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So based on the last post, you can now start to configure the ASA to support Apple IOS and Andoid devices. Firstly we need to add an IKEv1 policy to allow the IKE Phase 1 to establish: !Andoid crypro ikev1 policy 10 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 28800 !IOS crypro ikev1 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[5,6,9,11],"tags":[],"class_list":["post-147","post","type-post","status-publish","format-standard","hentry","category-mobile","category-mobile-computing","category-osx","category-security","post-preview"],"_links":{"self":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/147","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=147"}],"version-history":[{"count":0,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/147\/revisions"}],"wp:attachment":[{"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/iddles.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}