Monday, April 28, 2014

How to configure ASA SSL VPN + IPhone

Hi Guys

I had chance to configure a feature I have always wanted to try out but never got chance, Cisco IP Phone VPN, this allows you to configure a phone to VPN over SSLVPN back to it's home CUCM if you take it out to a foreign network. Designed so you can take a phone out to a exec's site or something (now of course, they will need PoE)

Few things to note:

- Only certain model phones are supported so keep that in mind, Full list is in the URL i will give below

- You have to enable it BEFORE you put the phone out, basically the way it works is when the phone registers to the CUCM it has to download a config file that tells it where to find the VPN settings, the user doesn't just enter them himself

- I was lazy and did it using a username and password which the user had to enter into the phone but this sucks because 1. user has to enter a alphanumeric username/pass into a phone pad 2. These users are pulled from your SSLVPN users and NOT your CUCM users so you best be sinking from an LDAP source and 3. it's one more step to worry about, so don't do in production what I am doing here in a lab enviroment: use certificates to authenticate. If there is enough demand I will do a blog on how to auth via cert

- Works on both ASA and SSLVPN on a router as far as I can tell.


OK so first of all, here is the great tutorial from Cisco, but they are doing on an ASA, we will be doing on a ISR

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/115785-anyconnect-vpn-00.html

So the first thing is of course, a working SSL VPN config, mine looks something like this:

 crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.05160-k9.pkg sequence 1
webvpn gateway SSLVPN
 ip interface Dialer1 port 443
 ssl trustpoint TP-self-signed-4216080960
 inservice
 !
webvpn context SSL_Gateway
 !
 ssl authenticate verify all
 no inservice

webvpn context SSL_gateway
 gateway SSLVPN
 !
 ssl authenticate verify all
 inservice
 !
 policy group default
   functions svc-enabled
   svc address-pool "VPN" netmask 255.255.255.0
   svc keep-client-installed
   svc split include 172.21.1.0 255.255.255.0
   svc split include 10.0.0.0 255.255.255.0
 default-group-policy default



This is not a tutorial on setting up SSLVPN, there are plenty of tutorials out there on the web for that and just because we are using phones now this piece does not really change. In fact before you even begin to configure the SSLVPN on the actual phone I recommend you test the SSLVPN as a normal user in windows and check:

1. The user/pass you intend to use for the phone is able to login
2. the SSL VPN actually works
3. You can ping the CUCM server once your on the VPN

Once your sure of all that, and you have tested thoroughly to ensure the SSLVPN is working fine, it's time to configure the phone.

Now the key to all of this, is that you MUST provision the phone BEFORE you hand it to the user: if you give the user the phone BEFORE you configure all of these settings on their phone it will be too late, they have to register to the corporate network to download this config at least once before you can take it to a remote location and have it register.

The second thing is that you MUST install your SSLVPN certificate into the trust store on CUCM which we will cover.


Login to your CUCM then navigate to the OS administration page. Then navigate to Security -> Certificate Management. Click on upload certificate and select "phone-VPN-Trust" from the dropdown as shown below and upload your certificate from your SSLVPN. Easiest way to get a copy of this is to visit your SSLVPN in your webbrowser of choice and download the certificate that way.



Once this is done, go back to your CUCM administration page, go to advanced features -> VPN -> VPN gateway. Here we can add a gateway and if we have done everything right the SSL Certificate we uploaded previously should be listed in the dropdown.




For the URL you want to enter whatever URL your users use for their normal SSLVPN configuration.

Next you configure the VPN group under Advanced Settings -> VPN -> VPN Group, this is relatively straightforward, here you could specify multiple SSLVPN Gateways if you where lucky enough to have multiple SSLVPN's.



The next stage is to specify the VPN Profile, this is done under Advanced Settings -> VPN -> VPN Profile


You can see this is also where we specify the authentication method, in my example I am using user/pass since that is the easiest but later we will do one with certificates.

Ok Almost there! Last step is to just associate this VPN profile to a common phone profile,  a common phone profile groups together settings common to a particular set of devices, there is a default one "Standard Common Phone Profile" which you could just edit so that EVERY phone has the VPN configuration inserted and therefore anyone could take the phone home if they wanted. That is what I elected to do, Common phone profile configuration is found under:

Device -> Device Settings -> Common Phone Profile


As you can see I have selected the VPN Profile and VPN Group at the bottom.

Once this is done, reset your phone. We can now do quite a bit to verify if the VPN settings have actually taken effect. Below are some screenshots

On a 79XX series, you can go to Settings, Security Configuration and scroll down to VPN Configuration, you can then obtain a lot of information about if the VPN profile has succesfully associated to the phone.








Once we plugged this phone in to an external network, when the phone first booted I got the username/password prompt. After that was entered, the phone succesfully registered!


I hope this helps someone out there.



11 comments:

  1. if we are connecting using AnyConnect from PC's and Macs - would it be safe to assume that AnyConnect is already configured on our ASA? What if i wanted to opt in other vpn service such as vpn traffic?
    http://www.bestvpnservice.com/vpntraffic/

    ReplyDelete
  2. Hide My Ass! Pro VPN – The World's Premium VPN Service. * We give you access to the biggest VPN network in the world. hidemyass review

    ReplyDelete
  3. The increasing number of cyber security threats, information hacks, privacy attacks have made the importance of security more evident than ever. This is the reason why large organizations that are involved in online business have realized the importance of cyber security. Now, every organization is working on a security framework meant to safeguard their online presence.
    https://www.ivacy.com/blog/what-is-ssl-vpn-and-why-use-ssl-vpn/

    ReplyDelete
  4. Getting the administrations of a virtual private system or VPN is a fine decision on the off chance that you will appreciate a protected and secure experience on the web. best vpn service provider

    ReplyDelete
  5. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!. vpn reviews

    ReplyDelete
  6. Now you will certainly see mixcloud.com/ the Game Killer Apk 4.10 No Get Info Root icon floating on your screen. Game Killer (APK) Download Click on the application symbol and Game Killer name on the primary user interface, Game Killer App you can pick the application.

    ReplyDelete
  7. Whereas if you are using a free VPN account you can generally use only a small amount of data. why a vpn

    ReplyDelete
  8. We have to be sincere; any individual that plans xtgem.com to seriously jog with their child regularly Website ought to truly be searching for something Leading Dual Jogger Strollers for Doubles stronger.

    ReplyDelete