Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Importing User Certificate in new iOS Cisco AnyConnect App #838

Closed
fridaynext opened this issue Jul 26, 2017 · 14 comments

Comments

@fridaynext
Copy link

commented Jul 26, 2017

Expected behavior: Save user certificate in iOS Cisco AnyConnect App

Actual Behavior: Cannot import user certificates (to AnyConnect App) downloaded from Safari or Mail Client

Steps to Reproduce: Connect to a streisand VPN, disconnect, and reconnect - always asks for login credentials - won't save certificates.

Additional Details:

Cisco is phasing out the AnyConnect app that's linked to from the Streisand docs, and they're moving to a new app for the iOS 11 framework, and they say you can no longer import certificates into their app that were downloaded from Safari or email client. Here's their exact statement:

Unfortuantely this is a limitation in the newer OS framework. Random certificates imported via email or Safari are not available to us. We can access certificates deployed via EMM for our app, SCEP from AnyConnect or URL import from AnyConnect.

I've tried to research what 'EMM' and 'SCEP' are, and I've also found these docs which talk about administering an AnyConnect server, but I tried to build a URL like the one suggested there (i.e. anyconnect:[//]import...etc), and I still get the error:

Unable to import a certificate. Please check the URL.

Is there another way to import a certificate to my iPhone that will allow it to be used with the new Cisco AnyConnect 4.0.7075 iOS app?

@cpu

This comment has been minimized.

Copy link
Member

commented Jul 29, 2017

@fridaynext I'm not an OpenConnect or an iOS user and likely won't be able to look at this personally for some time. Pull-requests with fixes for the new iOS app would be welcome.

@nopdotcom

This comment has been minimized.

Copy link
Member

commented Aug 21, 2017

EMM is Enterprise Mobile Management (usually proprietary), and SCEP is (normally) a device enrollment protocol. You don’t want them, we can’t implement the right EMM afaik anyway, and SCEP is out of scope.

Giving a URL to a .p12 from an unauthenticated web server works.

@fridaynext

This comment has been minimized.

Copy link
Author

commented Aug 21, 2017

Trying to import the .p12 as a profile and as a certificate both don't work, when using the .p12 URL from the streisand generated docs, using the current AnyConnect app (v 4.0.7075).
import_cert import_profile

Using https://xx.xx.xxx.xxx/openconnect/client.p12 as the URL, when getting these error messages.

How did you get the .p12 from your streisand server to work?

@nopdotcom

This comment has been minimized.

Copy link
Member

commented Aug 21, 2017

I can’t make the current AnyConnect app version work. I hosted the .p12 file on a local HTTP (not HTTPS) web server and that got me farther, but not quite there. :‐( Try Legacy AnyConnect, for now?

If you don’t have filtering issues with L2TP, it’s much easier to set up on iOS.

@fridaynext

This comment has been minimized.

Copy link
Author

commented Aug 21, 2017

Yep, I'm still using the Legacy app for now. I started this thread to ask about it so I would be prepared for when they stop supporting the Legacy app. I'm using AnyConnect over L2TP due to its much better performance (no loss in bandwidth) and better use on sites all-around (much less 'blocking due to VPN/proxy' when using AnyConnect).

@nopdotcom

This comment has been minimized.

Copy link
Member

commented Aug 21, 2017

BTW, it’s good to have the heads-up on iOS 11. I ran a beta briefly, but I don’t have a full-time device for it right now. I should probably give up root on the iPad.

@nopdotcom

This comment has been minimized.

Copy link
Member

commented Aug 21, 2017

While I’m spamming this thread, I’ll add I find the “less ‘blocking due to VPN/proxy’” condition interesting, and would like to figure out what they’re detecting. Do you have a favorite public site that does blocking?

@fridaynext

This comment has been minimized.

Copy link
Author

commented Aug 21, 2017

One example - when using Netflix with L2TP - no dice, gives me the "proxy" warning and tells me to turn it off. When using Netflix with AnyConnect, it has no idea I'm on a VPN. There are others, but that's a prime example.

@OneHappyForever

This comment has been minimized.

Copy link

commented Sep 2, 2017

The AnyConnect app still shows my real ip for some reason. (Connected, but when I check from ipip.net , it's still my real ip). Could it be the reason Netflix doesn't block you?

@nopdotcom

This comment has been minimized.

Copy link
Member

commented Nov 2, 2017

OK, I finally ran into this myself; most titles on Amazon Prime Video showed up as "not available in your location", and my location was Boston, via Amazon Lightsail at the us-east-1 region.

Now that I have a good example, I can play with it.

@alimakki

This comment has been minimized.

Copy link
Collaborator

commented Nov 26, 2017

@fridaynext, I put a PR #1069 to add mobileconfig support for AnyConnect releases >4x.

@alimakki

This comment has been minimized.

Copy link
Collaborator

commented Dec 7, 2017

#1069 has been merged.

@alimakki alimakki closed this Dec 7, 2017

@alimakki

This comment has been minimized.

Copy link
Collaborator

commented Dec 7, 2017

@fridaynext since the gateway is protected by basic authentication, you’ll have to embed the username and password as part of the URL, for example https://gooduser:secretpassword@www.example.com/webcallback?foo=bar

@AnhTVc

This comment has been minimized.

Copy link

commented Jun 20, 2018

Project implement OpenConnect (Cisco) by AnyConnnect in IOS
https://github.com/AnhTVc/OpenConnectIOS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.