Streisand: Importing User Certificate in new iOS Cisco AnyConnect App

Created on 26 Jul 2017  Â·  14Comments  Â·  Source: StreisandEffect/streisand

Expected behavior: Save user certificate in iOS Cisco AnyConnect App

Actual Behavior: Cannot import user certificates (to AnyConnect App) downloaded from Safari or Mail Client

Steps to Reproduce: Connect to a streisand VPN, disconnect, and reconnect - always asks for login credentials - won't save certificates.

Additional Details:

Cisco is phasing out the AnyConnect app that's linked to from the Streisand docs, and they're moving to a new app for the iOS 11 framework, and they say you can no longer import certificates into their app that were downloaded from Safari or email client. Here's their exact statement:

Unfortuantely this is a limitation in the newer OS framework. Random certificates imported via email or Safari are not available to us. We can access certificates deployed via EMM for our app, SCEP from AnyConnect or URL import from AnyConnect.

I've tried to research what 'EMM' and 'SCEP' are, and I've also found these docs which talk about administering an AnyConnect server, but I tried to build a URL like the one suggested there (i.e. anyconnect:[//]import...etc), and I still get the error:

Unable to import a certificate. Please check the URL.

Is there another way to import a certificate to my iPhone that will allow it to be used with the new Cisco AnyConnect 4.0.7075 iOS app?

kinclient kinquestion statuhelp-wanted

All 14 comments

@fridaynext I'm not an OpenConnect or an iOS user and likely won't be able to look at this personally for some time. Pull-requests with fixes for the new iOS app would be welcome.

EMM is Enterprise Mobile Management (usually proprietary), and SCEP is (normally) a device enrollment protocol. You don’t want them, we can’t implement the right EMM afaik anyway, and SCEP is out of scope.

Giving a URL to a .p12 from an unauthenticated web server works.

Trying to import the .p12 as a profile and as a certificate both don't work, when using the .p12 URL from the streisand generated docs, using the current AnyConnect app (v 4.0.7075).
import_cert import_profile

Using https://xx.xx.xxx.xxx/openconnect/client.p12 as the URL, when getting these error messages.

How did you get the .p12 from your streisand server to work?

I can’t make the current AnyConnect app version work. I hosted the .p12 file on a local HTTP (not HTTPS) web server and that got me farther, but not quite there. :‐( Try Legacy AnyConnect, for now?

If you don’t have filtering issues with L2TP, it’s much easier to set up on iOS.

Yep, I'm still using the Legacy app for now. I started this thread to ask about it so I would be prepared for when they stop supporting the Legacy app. I'm using AnyConnect over L2TP due to its much better performance (no loss in bandwidth) and better use on sites all-around (much less 'blocking due to VPN/proxy' when using AnyConnect).

BTW, it’s good to have the heads-up on iOS 11. I ran a beta briefly, but I don’t have a full-time device for it right now. I should probably give up root on the iPad.

While I’m spamming this thread, I’ll add I find the “less ‘blocking due to VPN/proxy’” condition interesting, and would like to figure out what they’re detecting. Do you have a favorite public site that does blocking?

One example - when using Netflix with L2TP - no dice, gives me the "proxy" warning and tells me to turn it off. When using Netflix with AnyConnect, it has no idea I'm on a VPN. There are others, but that's a prime example.

The AnyConnect app still shows my real ip for some reason. (Connected, but when I check from ipip.net , it's still my real ip). Could it be the reason Netflix doesn't block you?

OK, I finally ran into this myself; most titles on Amazon Prime Video showed up as "not available in your location", and my location was Boston, via Amazon Lightsail at the us-east-1 region.

Now that I have a good example, I can play with it.

@fridaynext, I put a PR #1069 to add mobileconfig support for AnyConnect releases >4x.

1069 has been merged.

@fridaynext since the gateway is protected by basic authentication, you’ll have to embed the username and password as part of the URL, for example https://gooduser:[email protected]/webcallback?foo=bar

Project implement OpenConnect (Cisco) by AnyConnnect in IOS
https://github.com/AnhTVc/OpenConnectIOS

Was this page helpful?
0 / 5 - 0 ratings