On demand iPhone vpn connection to a Cisco ASA

This was a proof of concept that I worked on with @xrobx99. Thanks @xrobx99 for your help.

We were interested in how our users could access SharePoint behind our firewall on their mobile devices. We currently have an Cisco ASA in front of our organization. Idea is this: user receives an email notification from SharePoint that they need to approve a workflow. Email comes with a link and user clicks it on their Apple iOS device. That click would start an on demand VPN session to our ASA and the user be able to reach the SharePoint. This is how we got it all working.

First, you need to setup certificate authentication for your asa. If you don’t already have a PKI, then you can run a certificate server on your ASA. Looking at this blog post it is not that difficult to setup a local CA. That post describes how to do it via command line, to enable a CA vi asdm go to: Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority

Clicking the enable box generates the following code:

  crypto ca server
      smtp from-address [email protected]
      no shutdown passphrase secret

Next add a user:

After adding a user, grab the One Time Password (OTP) and log into the enrollment site: http://site.name.com/+CSCOCA+/enroll.html. This will download a *.p12 file which I double clicked and added to my keychain (mac user). We will

Add a new tunnel-group

Next step was to set a a group-url for a new tunnel-group. We did this because we wanted the ability to log in with both passwords and certificates. This is what our tunnel groups looked like:

tunnel-group default webvpn-attributes
 group-url https://server.company.com enable
tunnel-group certificate webvpn-attributes
 authentication certificate
 group-url https://mobile.company.com enable

Add Certificate to iPhone Confiuration App

Fire up the iPhone confiruation utility and create a new Configuration Profile. Scroll down to “Credentials” section and add the *.p12 file with the OTP.

Next go to the VPN section to add the address of the ASA and check the on demand box for the the site.

Share the new configuration profile and apply it to your phone.

Now when you try to access a url that matches the on demand urls in the vpn section of the iPhone profile, the AnyConnect client will connect to the url that  allows certificate authentication. The certificate that you included in the profile will authenticate you, and you are in!

This was fun to put together!

Comments are closed.