Tag Archives: iphone

Blue Coat Proxy, iPhone’s multiple authentication issues.

Recently a colleague pointed me at the following Blue Coat KB about NTLM issues as basically the iPhones on the corp network were getting multiple authentication challenges even though the username & password are saved in the connection profile!

To resolve we created a second authentication realm on the bluecoat with Kerberos & NTLM authentication disabled ( i.e. only basic auth), we then created an authentication rule which matches user agent strings and authenticates against the new basic-only realm. Below is some command lines to point you in the right direction:

!- BEGIN authentication
security iwa create-realm uk 10.10.10.10 16101
security iwa edit-realm uk ;mode
alternate-server 10.10.10.11 16101
exit
security iwa create-realm ukBasicAuth 10.10.10.10 16101
security iwa edit-realm ukBasicAuth ;mode
alternate-server 10.10.10.11 16101
credentials-kerberos disable
credentials-ntlm disable
exit

I should point out that the KB is out of date; upon implementing we noticed a lot of windows users getting unwanted authentication challenges therefore I suggest you only match against iphone & ipad… in-fact I stuck Macintosh in as well and my macbook is getting less challenges too!

Enjoy the CPL goodness below!

;; Description: BlueCoat KB4741
define condition __CondList1BasicUserAgents
        request.header.User-Agent="iphone"
        request.header.User-Agent="ipad"
        request.header.User-Agent="Macintosh"
        request.header.User-Agent="CFNetwork"
end condition __CondList1BasicUserAgents

define condition BasicUserAgents
        condition=__CondList1BasicUserAgents
end condition BasicUserAgents

<Proxy>
        condition=BasicUserAgents authenticate(ukBasicAuth)  authenticate.force(no) authenticate.mode(proxy)    ; KB4741
        authenticate(uk)  authenticate.force(yes) authenticate.mode(proxy)      ; All Internet Traffic

Cisco VPN 3k Config for iPhone

Recently I was asked if I could help setup a VPN connection between an Apple iPhone and a Cisco VPN Concentrator 3000, my 1st round of googling didn’t look good, there’s a discussion here complaining about how crap vpn support on the iphone is; further searching lead me to a Cisco document which specifically targets mac clients, this document is for ASA configuration, but if you look carefully* everything you need is in there.

*No, I didn’t get this working 1st time, it took me a good couple of hours of googling, but looking back I can see that all the info is there.

The key to getting this working is that the iphone side is not as configurable as it should be, so if you’re trying to get this to work you need to be talking to the IT administrator to get the concentrator side changed. The 1st word of warning is that the iphone client doesn’t support group authentication, so you’re going to be changing the base group, now by default most “production” groups will inherit settings from the base group, so you will need to make sure that if you change anything in the base group that it doesn’t effect your other L2L or Remote Access tunnels. (You have been warned.)

To get started, for whatever reason the iphone only supports cisco’s NAT-T implementation of IPSEC, so if you have a firewall or access-list in front of your concentrator you’re going to need to open up UDP 4500, then enable NAT Transparency. Another word of warning about NAT-T, we found that existing VPNS to Cisco Routers started to fail after enabling this, which was a bit odd as NAT-T wasn’t enabled under any of the L2L profiles, anyway, to fix the issue we enabled NAT-T on the routers (again make sure UDP 4500 is allowed though any ACLs) and under “conf t” issue:

crypto ipsec nat-transparency udp-encapsulation

So, back to the cVPN3k config……


Configuration -> Tunnel & Security -> NAT Transparency
IPSEC over NAT-T - TICK

So a quick explanation of the above so you get the idea; from the tree on the left, click “Configuration” then “Tunnel & Security” then “NAT Transparency” and tick the box next to NAT-T.

Now you need to setup your PHASE 1 Proposal…

Config -> Tunnel & Sec -> IPSEC -> IKE Proposal

I called mine iphone, and you need to configure the following settings.

  • Authentication: Preshared Key (NOT the one with Xauth)
  • Hash: SHA-1
  • Encryption: 3DES
  • DiffeHelmen: Group 2

After phase one, comes PHASE 2:

Config -> Policy Manage -> Traffic Mgnt -> SA

Again, add the following settings and I called mine: iphone

  • Authentication: ESP / SHA
  • Encryption: 3DES
  • Enacapsulation: Transport
  • IKE Proposal = iphone (or whatever your phase 1 was called)

Then finally we start working with the groups, so as mentioned above you need to work with the base group:

Config -> User Management -> Base Group

And you need to enable the following, the other settings will be optional:

On the Base Group Tab,

  • Tunnel Protocol: Tick “L2TP over IPSec”

On the IPSEC Tab,

  • Authentication: Internal or NT depending on what you’ve already configured for other Remote Access Profiles.
  • IPSEC SA is set to: iphone
  • Default Preshared Key: Set this to something really really long (this will be your secret on the iphone)

On the PPTP/L2TP Tab,

  • L2TP Authentication Protocols: Tick MSCHAPv1 / MSCHAPv2
  • L2TP Encryption: Tick 40 & 128 B

DONE! Now with a little bit of luck your iphone should connect.

A Quick note about comments: All support requested will be deleted, I don’t have access to a concentrator to offer any meaningful advise, you use the above config at your own risk.