Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5
Administering AnyConnect for Apple iOS Devices
Downloads: This chapterpdf (PDF - 382.0KB) The complete bookPDF (PDF - 5.12MB) | Feedback

Administering AnyConnect for Apple iOS Devices

Table Of Contents

Administering AnyConnect for Apple iOS Devices

Supported Mobile Devices

AnyConnect Features Supported on Apple iOS Devices

System Requirements

Recommended ASA Configurations

DNS Resolution Behavior with Split DNS

Configuring Mobile Posture on the Secure Gateway

Preventing Apple iOS Devices from Establishing SSL VPN Connections

Installing and Upgrading AnyConnect on iOS Devices

AnyConnect Client Interface on Apple iOS Devices

AnyConnect Client Configuration and Deployment

Overview

Configuring Connections for Mobile Devices in a VPN Client Profile

Using the VPN Profile Editor

Mobile-specific Attributes in the VPN Client Profile

Configuring Authentication

Deploying the VPN Client Profile

Connection Persistence Features

Apple iOS Connect On Demand

Network Roaming

Localizing AnyConnect Interface and Messages

Pre-packaged Localization

Downloaded Localization

Importing Localization

User Import

via the URI Handler

Clearing Localization

Certificate Management

Installing Certificates on Apple iOS Devices

Automatic Certificate Selection

Using the URI Handler to Automate AnyConnect Actions

Using the URI Handler to Generate a VPN Connection Entry

Using the URI Handler to Establish a VPN Connection

Provide the Connection Name and Host Name in a URI

Provide Connection Information and Prefill a Username and Password in a URI

Provide Connection Information and Prefill Usernames and Passwords for Double Authentication

Provide Connection Information, Prefill a Username and Password, and Specify a Connection Alias

Connect Parameter and Syntax Descriptions

Using the URI Handler to Disconnect from a VPN

Using the URI Handler to Localize the AnyConnect UI and Messages

Using the URI Handler to Import a PKCS12 Encoded Certificate Bundle

HTML Hyperlink Examples

Using the URI Handler to Import a VPN Client Profile

Other Apple iOS Specific Considerations

Troubleshooting


Administering AnyConnect for Apple iOS Devices


This chapter provides you with support information, system requirements, and installation information, as well as other administrative tasks specific to AnyConnect 2.5 for Apple iOS devices:

Supported Mobile Devices

AnyConnect Features Supported on Apple iOS Devices

System Requirements

Recommended ASA Configurations

Installing and Upgrading AnyConnect on iOS Devices

AnyConnect Client Interface on Apple iOS Devices

AnyConnect Client Configuration and Deployment

Localizing AnyConnect Interface and Messages

Certificate Management

Using the URI Handler to Automate AnyConnect Actions

Other Apple iOS Specific Considerations

Troubleshooting

Supported Mobile Devices

For a list of Apple iOS mobile devices on which AnyConnect 2.5 runs, see "Supported Apple iOS Devices" in the Release Notes for Cisco AnyConnect VPN Client, Release 2.5.x for Apple iOS.

AnyConnect Features Supported on Apple iOS Devices

For a list of AnyConnect features supported in this release see "Apple iOS AnyConnect Features" in the Release Notes for Cisco AnyConnect VPN Client, Release 2.5.x for Apple iOS.

System Requirements

For a list of supported security appliances and software, see "Adaptive Security Appliance Requirements" in the Release Notes for Cisco AnyConnect VPN Client, Release 2.5.x for Apple iOS.

Recommended ASA Configurations

For the best user experience, Cisco recommends using multiple tunnel groups for mobile devices, depending on the authentication configuration. Decide how best to balance user experience with security.

For certificate-based authentication tunnel groups for mobile devices that have Connect on Demand configured, the tunnel group should have an idle timeout (vpn-idle-timeout) specified that is very short (such as 60 seconds). You may want to set the idle timeout if your VPN session is not critical for an application and does not need to be connected all the time. The Apple device can then close the VPN connection when it is no longer needed, for example, when the device goes into sleep mode. The default idle time-out for a tunnel group is 60 minutes.

For AAA-based authentication tunnel groups for mobile devices, the tunnel group should have a very long idle-timeout, such as 24 hours, to let the client remain in a reconnecting state without requiring the user to re-authenticate.

DNS Resolution Behavior with Split DNS

The ASA split tunneling feature lets you specify which traffic goes over the VPN tunnel and which goes in the clear. An associated feature, called split DNS, lets you lets you specify which DNS traffic is eligible for DNS resolution over the VPN tunnel, and which DNS traffic the endpoint DNS resolver handles.

AnyConnect for Apple iOS supports the optional split-dns command to specify the DNS queries to resolve; however, the command works differently than it does on other devices if you also configure split tunnel VPN.

The split-dns command, entered in group-policy configuration mode, lists the domains to be resolved through the VPN session, as follows:

hostname(config-group-policy)# split-dns {value domain-name1 [domain-name2... 
domain-nameN] | none}
 
   

If the split-dns command is not present, the group policy inherits any that are present in the default group policy. To prevent inheriting a split tunneling domain list, use the split-dns none command.

AnyConnect for Apple iOS responds to this command as follows:

Encrypts only DNS queries for domains in the split-dns list—AnyConnect tunnels only the DNS queries for the domains specified in the command, and sends all other DNS to the local DNS resolver for resolution in-the-clear. For example, AnyConnect tunnels only the DNS queries for example1.com and example2.com in response to the following command:

hostname(config-group-policy)# split-dns example1.com example2.com
 
   

Encrypts only DNS queries for the domain in the default-domain command—If the split-dns none command is present and the default-domain command specifies a domain, AnyConnect tunnels only DNS queries for that domain, and sends all other DNS to the local DNS resolver for resolution in-the-clear. For example, AnyConnect tunnels only the DNS queries for example1.com in response to the following commands:

hostname(config-group-policy)# split-dns none
hostname(config-group-policy)# default-domain value example1.com
 
   

Sends all DNS queries in the clear—If the split-dns none and default-domain none commands are present in the group policy, or these commands are absent from the group policy but present in the default group policy, AnyConnect sends all DNS to the local DNS resolver for resolution in-the-clear.

Configuring Mobile Posture on the Secure Gateway

Configure dynamic access policies (DAP) based on these attributes of a mobile device:

Client Version — The AnyConnect client version.

Platform — The operating system including Android and Apple iOS.

Platform Version — The operating system version number.

Device Type — The mobile device type, such as iPad or Samsung GT-I9000.

Device Unique ID — The mobile device's unique ID.

For complete instructions, see Adding Mobile Posture Attributes to a DAP in Cisco 5500 Series Configuration Guide using ASDM, 6.4 or see Add/Edit Endpoint Attributes in Cisco Security Appliance Configuration Guide using ASDM, 6.2.

Preventing Apple iOS Devices from Establishing SSL VPN Connections

An ASA must be activated with an AnyConnect Mobile license to support Apple iOS SSL VPN connections. If an ASA is not activated with an AnyConnect Mobile license, it automatically denies the connection attempts.

By default, an ASA activated with an AnyConnect Mobile license lets any user, who can authenticate, log in from an Apple iOS device running AnyConnect.

Configure an ASA to prevent these connections; however, at this time, doing so requires both of the following:

The ASA must be activated with an AnyConnect Premium license. This is a technical requirement.

CSD must be enabled.

To configure an ASA to prevent SSL VPN connections from Apple iOS, add a dynamic access policy as follows:


Step 1 Establish an ASDM session with the ASA.

Step 2 Choose Configuration > Remote Access VPN > Network (Client) Access > Dynamic Access Policies > Add.

Figure 1 DAP to Prevent SSL VPN Connections from Apple iOS Devices

Step 3 Name the policy (for example, Deny Apple iOS).

Step 4 Click Advanced.

Step 5 Enter the following into the Logical Expressions text box:

EVAL(endpoint.os.version, "EQ", "Apple Plugin", "string")
 
   

Step 6 Click Terminate under the Action tab.

Step 7 Click OK and Apply.


Installing and Upgrading AnyConnect on iOS Devices

Installing AnyConnect Client

End users install the AnyConnect Secure Mobility Client for iOS devices like any other iPad, iPhone, or iPod Touch app, by visiting the Apple App Store and downloading the app. The AnyConnect client app is free, and users can find it here: http://itunes.apple.com/us/app/cisco-anyconnect/id392790924?mt=8

For detailed installation steps, see "Installing AnyConnect" in the iPhone or iPad user's guide.

Upgrading AnyConnect 2.4 to AnyConnect 2.5

End users upgrade AnyConnect by downloading a new AnyConnect client from the Apple App store.

For the complete upgrade procedure, see "Upgrading AnyConnect" in either the iPhone or iPad user's guide.

AnyConnect Client Interface on Apple iOS Devices

For a description of the client user interface see either the iPhone or iPad user's guide.

AnyConnect Client Configuration and Deployment

Overview

AnyConnect administrators configure VPN features and connection entries in an AnyConnect VPN Client Profile which is distributed to mobile devices when they connect to the secure gateway (ASA).

An AnyConnect VPN Client Profile is an XML file that identifies a list of secure gateways (ASAs) that you want to make accessible to the endpoint. It also specifies additional connection attributes and constraints on a user.


Note AnyConnect retains only one profile on the Apple iOS device at a time; however, a profile can consist of multiple connection entries.


At minimum, to initiate a connection to a secure gateway, AnyConnect requires the device user to create a connection entry that requires the following information:

Description—uniquely identifies one VPN connection from another.

Server Address— Fully qualified domain name or IP address of the destination, including the URL path if the ASA VPN configuration specifies the group URL.

When administrators create and distribute these profiles, end users cannot modify them. End users can only modify the connection entries they create manually.

Configuring Connections for Mobile Devices in a VPN Client Profile

Using the VPN Profile Editor

You need to use Profile Editor 3.0.1047 or later to create a VPN client profile that includes connection profiles for Apple iOS devices. Profile Editor can be used as a standalone tool, and is downloaded from Cisco.com.

To download Profile Editor:


Step 1 Connect to the AnyConnect Secure Mobility Client page on Cisco.com and click Download Software.

Step 2 Expand the All Releases and 3.0 directories and select 3.0.1047 or a later version of AnyConnect.

Step 3 In the column on the right, look for a file with the naming convention, anyconnect-profileeditor-win-<version>-k9.exe. If you were downloading the AnyConnect Profile Editor released with AnyConnect 3.0.1047, you would find: anyconnect-profileeditor-win-3.0.1047-k9.exe.

Step 4 Click Download now and follow the instructions on the site to complete the download process.


Mobile-specific Attributes in the VPN Client Profile

See Configuring Connections for Mobile Devices in the AnyConnect Secure Mobility Client Administrator Guide, release 3.0 for instructions on how to configure connections for Apple iOS devices setting the following mobile-specific attributes:

Certificate authentication method

ActiviteOnImport

Network Roaming preference

Connect on Demand preference

Configuring Authentication

AnyConnect for Apple iOS supports a full suite of authentication capabilities similar to AnyConnect for Windows, Mac OS X, and Linux.

Deploying the VPN Client Profile

After you have created the VPN client profile with the Apple iOS connection entries, see Deploying the AnyConnect Profile for instructions on how to import the VPN client profile to the ASA and associate it with a group policy.

Connection Persistence Features

The following AnyConnect features enable connection persistence on the Apple iOS devices:

Apple iOS Connect On Demand

Network Roaming

Auto Reconnect Behavior "ReconnectAfterResume"

To achieve the most transparent end user experience, use certificate-only authentication. When a digital certificate is issued, it enables a VPN connection to be established without user interaction.


Note AnyConnect on Apple iOS does not provide the Trusted Network Detection feature.


Apple iOS Connect On Demand

The Apple iOS Connect On Demand feature lets an application, such as Safari, initiate a VPN connection. Apple iOS evaluates the domain requested by the application against the strings in the domain lists within the active connection entry—the entry with the check mark next to it.

You define the domain lists Apple iOS evaluates.

Never Connect—Apple iOS evaluates domain requests for a match against the contents of this list first. If a string in this list matches the domain, Apple iOS ignores the domain request. This list lets you exclude certain resources. For example, you might not want an automatic VPN connection over a public facing Web server. An example value is www.example.com.


Note If you or the user enable Connect On Demand, AnyConnect adds the server address in the VPN configuration to the Never Connect list to prevent VPN connections from starting when you use a web browser to connect to a secure gateway. Leaving the rule in place does not have an adverse effect on Connect on Demand.


Always Connect—Apple iOS evaluates domain requests for a match against the contents of this list next. If a string in this list matches the domain, Apple iOS attempts to establish a VPN connection. The most common use case for this list is to obtain brief access to internal resources. An example value is email.example.com.

Connect if Needed—Apple iOS evaluates a domain request for a match against this list if a DNS error occurred. If a string in this list matches the domain, Apple iOS attempts to establish a VPN connection. The most common use case for this list is to obtain brief access to an internal resource that is not accessible in a LAN within the corporate network. An example value is intranet.example.com.

Apple IOS establishes a VPN connection on behalf of an application only if all of the following are true:

A VPN connection is not already established.

An application compatible with the Apple iOS Connect on Demand framework requests a domain.

The connection entry is configured to use a valid certificate.

Connect on Demand is enabled in the connection entry.

Apple iOS fails to match a string in the Never Connect list to the domain request.

Either of the following is true:

Apple iOS matches a string in the Always Connect list to the domain request.

A DNS lookup failed and Apple iOS matches a string in the Connect if Needed list to the domain request.

The Connect-on-Demand rules support only domain names, not IP addresses; however, the domain names specified within the rules may be partial or whole domain strings.


Note The integrated Apple iOS IPsec client and AnyConnect both use the same Apple iOS VPN on Demand framework.


See Configuring Connect-On-Demand Rules in the iPad or iPhone user guide or "Using the URI Handler to Generate a VPN Connection Entry" later in this document for instructions.

Network Roaming

Network Roaming, also called persistent reconnect, determines whether to observe a limit on the time it takes to reconnect after the device wakes up or changes in the connection type (such as EDGE(2G), 1xRTT(2G), 3G, or Wi-Fi) occur. Providing seamless mobility with a secure connection that persists across networks is useful for applications that require a connection to the enterprise.

If Network Roaming is enabled and AnyConnect loses a connection, it does not limit the time it takes to try to reconnect. Therefore, this feature could consume more battery life.


Note Network Roaming does not affect data roaming or the use of multiple mobile service providers.


Policies that restrict VPN traffic could prevent the device from accessing non-corporate Internet resources. If enabled, Network Roaming requires a policy on the ASA that supports a persistent connection.

If Network Roaming is disabled and AnyConnect loses a connection, it tries to re-establish a connection for 20 seconds. The user or application must then start a new VPN connection if one is necessary.

By default, AnyConnect sends all network traffic over the VPN connection.Enable a split tunneling policy to control traffic flow, directing traffic appropriate for the tunnel and traffic appropriate for the data network. For instructions, refer to the ASA Configuration Guide.

Localizing AnyConnect Interface and Messages

Pre-packaged Localization

The following language translations are included in the AnyConnect package:

Czech (cs-cz)

German (de-de)

Latin American Spanish (es-co)

Canadian French (fr-ca)

Japanese (ja-jp)

Korean (ko-kr)

Polish (pl-pl)

Simplified Chinese (zh-cn)

Localization data for these languages is pre-loaded onto your device when AnyConnect is installed.The displayed language is chosen based on determining the best match to the device's locale specified in Settings > General > International > Language. For example, French-Switzerland (fr-ch) results in a French-Canadian (fr-ca) display. If there is no match, AnyConnect defaults to English (United States).

Downloaded Localization

For languages not in the AnyConnect package, administrators add localization data to the ASA to downloaded to the device upon AnyConnect VPN connectivity. See Localizing the AnyConnect GUI for instructions on configuring localization on an ASA. If the ASA does not contain localization data for the device's locale, the pre-loaded localization data from the AnyConnect application package continues to be used.

Cisco provides the anyconnect.po file, including all localizable AnyConnect strings, on the product download center of Cisco.com. AnyConnect administrators download the anyconnect.po file, provide translations for the available strings, and then upload the file to the ASA.

The anyconnect.po file provided with this release includes new translated messages and UI strings. AnyConnect administrators that already have an anyconnect.po file installed on the ASA will want to download this updated version.

Initially, the AnyConnect user interface and messages are presented to the user in US English. When the end-user establishes the first connection to the ASA, AnyConnect compares the device's preferred language, configured on the Apple iOS device at Settings > General > International > Language, to the available localization languages on the ASA. If AnyConnect finds a matching localization file, it downloads the localized file. Once the download is complete, AnyConnect presents the user interface and user messages using the translated strings added to anyconnect.po file. If a string was not translated, AnyConnect presents the default strings originally provided.


Step 1 Begin at the Select a Product page.

Step 2 Select Products > Security > Virtual Private Networks (VPN) > Cisco VPN Clients > Cisco AnyConnect Secure Mobility Client.

Step 3 Expand the All Releases folder in the release folder tree, expand 3.0, and then open the folder of the latest AnyConnect 3.0 release.

Step 4 In the list of downloadable files, find anyconnect.po and click Download Now.

Step 5 Follow the prompts to download the file.

Step 6 Continue with Localizing the AnyConnect Client GUI and Installer.


Importing Localization

User Import

The user carries out the following procedure on the device to import localization data configured on specified ASA:


Step 1 Tap the AnyConnect icon on the home screen.

Step 2 Tap Diagnostics

Step 3 Tap Localization.

Step 4 Tap Import Localization...

Step 5 Specify the server address and language, then Tap Enter

The user interface and messages display in the specified language after import completes.

via the URI Handler

Use this URI handler method to distribute localization files to AnyConnect clients. The Apple iOS devices must be running Apple iOS 5 or later. See Using the URI Handler to Localize the AnyConnect UI and Messages for more information.


Clearing Localization

To return the AnyConnect App to its default text strings, follow this procedure on the device:


Step 1 Tap the AnyConnect icon on the home screen.

Step 2 Tap Diagnostics

Step 3 Tap Localization.

Step 4 Tap Delete Localization.

AnyConnect deletes all localization data and all UI and message text returns to the default setting.


Certificate Management

Installing Certificates on Apple iOS Devices

In order to authenticate the mobile device to the secure gateway using a certificate, end users need to import the certificate to their device and then associate that certificate with a connection entry. Users import certificates in the following ways:

Importing and Installing Certificates Attached to Emails

Importing and Installing Certificates From Hyperlinks

Importing and Installing Certificates with a SCEP-configured Connection Alias

See "Installing a Certificate on Your Mobile Device" in the iPhone or iPad user guide.

Automatic Certificate Selection

AnyConnect automatically chooses the client certificate with which to authenticate. For automatic certificate selection, AnyConnect views all the installed certificates, disregards those certificates that are out of date, applies the certificate matching criteria defined in VPN client profile, and then authenticates using the certificate that matches the criteria. This happens every time the user attempts to establish a VPN connection.

Automatic certificate selection functions the same in this release of AnyConnect for mobile devices as it does in AnyConnect for Windows and Mac OS X.

Using the URI Handler to Automate AnyConnect Actions

The URI handler lets applications pass action requests in the form of Universal Resource Indicator (URIs). Use URIs to generate VPN connection entries, connect to or disconnect from a VPN, and import certificates, profiles, and localization data. Insert URIs into web pages or applications to:

Import certificates.

Configure the client. Creating a web page for Apple iOS users to visit. Use this method to simplify the AnyConnect user setup process.

The URI Handler also lets other applications start VPN connections to access internal resources as needed, and then disconnect.


Note End-users recognize this functionality as External Control. End users enable this feature on their mobile devices by selecting Settings > AnyConnect > External Control and choosing Enable.


The following sections show the syntax, examples, and parameter descriptions of the supported actions.

Using the URI Handler to Generate a VPN Connection Entry

Use the AnyConnect URI handler create action to simplify the generation of an AnyConnect connection entry for users.

Insert a separate link for each connection entry you want to add to the device. We do not support multiple create actions in a single link.

Use the following syntax to insert the create action to add an AnyConnect connection entry to the endpoint configuration:

anyconnect:[//]create[/]?name=Description&host=ServerAddress[&Parameter1=Value&Parameter2=
Value...]
 
   

Examples:

anyconnect://create/?name=SimpleExample&host=vpn.example.com
 
   
anyconnect:create?name=SimpleExample&host=vpn.example.com
 
   
anyconnect:create?name=Example%201&host=vpn.example.com&netroam=true&usecert=false
 
   
anyconnect:create?name=Example%20with%20certificate&host=vpn.example.com&netroam=true&usec
ert=true&certcommonname=example-ID&useondemand=true&domainlistalways=email.example.com,pay
.examplecloud.com&domainlistnever=www.example.com&domainlistifneeded=intranet.example.com
 
   

The create action requires either the name and host parameters, but allows both. All other parameters are optional. When the action runs on the device, AnyConnect saves all of the parameter values you enter to the connection entry associated with that name and host.

The slashes in the beginnings of the URI are optional.

To match a space, enter %20. For example, to match a connection entry named Example Connection 1, enter Example%20Connection%201.

These are descriptions of the create parameter options:

name—unique name for the connection entry to appear in the connection list of the AnyConnect home screen and the Description field of the AnyConnect connection entry. AnyConnect responds only if the name is unique. We recommend using a maximum of 24 characters to ensure they fit in the connection list. Use letters, numbers, or symbols on the keyboard displayed on the device when you enter text into a field. The letters are case-sensitive.

host—Enter the domain name, IP address, or Group URL of the ASA with which to connect. AnyConnect inserts the value of this parameter into the Server Address field of the AnyConnect connection entry. For example,

vpn.example.com
 
   

netroam (optional)—Determines whether to limit the time it takes to reconnect after the device wakes up or after a change to the connection type (such as EDGE, 3G, or Wi-Fi).


Note This parameter does not affect data roaming or the use of multiple mobile service providers.


The valid values are:

true—(Default) This option optimizes VPN access. AnyConnect inserts the value ON into the Network Roaming field of the AnyConnect connection entry. If AnyConnect loses a connection, it tries to establish a new one until it succeeds. This setting lets applications rely on a sustained connection to the VPN. AnyConnect does not impose a limit on the time it takes to reconnect.

false—This option optimizes battery life. AnyConnect associates this value with the OFF value in the Network Roaming field of the AnyConnect connection entry. If AnyConnect loses a connection, it tries to establish a a new one for 20 seconds and then stops trying. The user or application must start a new VPN connection if one is necessary.

usecert (optional)—Determines whether to use a digital certificate pre-installed on the device when establishing a VPN connection to the host. The valid values are:

true—This option enhances network security access, and is required for Connect on Demand. AnyConnect inserts the value ON into the Use Certificates field of the AnyConnect connection entry. AnyConnect then uses a digital certificate while establishing a VPN connection with the host. You must enter this option if the host configuration requires the use of a digital certificate for VPN access. If 'usecert' is set to true, but 'certcommonname' is not specified, Automatic Certificate Selection is used.

false (default)—Use this option if VPN access does not require a digital certificate. AnyConnect associates this value with the Disabled value in the Certificate field of the AnyConnect connection entry.

certcommonname (optional, but requires the usecert parameter)—Matches the Common Name of a valid certificate pre-installed on the device. AnyConnect inserts the value into the Certificate field of the AnyConnect connection entry.

To view this value on a certificate installed on the device, tap Diagnostics in the button bar and tap Manage Certificates. The common name in the following example is example-id.

Figure 2 Select Certificate Screen

You might need to scroll to view the certificate required by the host. Tap the detail disclosure button to the right of the certificate summary to view the Common Name parameter read from the certificate, as well as the other values.

useondemand (optional, but requires the usecert and certcommonname parameters)—Determines whether applications, such as Safari, can start VPN connections.

true—Lets an application use Apple iOS to start a VPN connection. If you set the useondemand parameter to true, AnyConnect inserts the value ON into the Connect on Demand field of the AnyConnect connection entry.

false (Default)—Prevents applications from starting a VPN connection. Using this option is the only way to prevent an application that makes a DNS request from potentially triggering a VPN connection. AnyConnect associates this option with the OFF value in the Connect on Demand field of the AnyConnect connection entry.

domainlistnever (optional)—Lists the domains to evaluate for a match to disqualify the use of the Connect on Demand feature. This list is the first one AnyConnect uses to evaluate domain requests for a match. If a domain request matches, AnyConnect ignores the domain request. AnyConnect inserts this list into the Never Connect field of the AnyConnect connection entry. This list lets you exclude certain resources. For example, you might not want an automatic VPN connection over a public facing Web server. An example value is www.example.com.

domainlistalways (domainlistalways or domainlistifneeded parameter required)—Lists the domains to evaluate for a match for the Connect on Demand feature. This list is the second one AnyConnect uses to evaluate domain requests for a match. If an application requests access to one of the domains specified by this parameter and a VPN connection is not already in progress, Apple iOS attempts to establish a VPN connection. AnyConnect inserts this list into the Always Connect field of the AnyConnect connection entry. An example value list is email.example.com,pay.examplecloud.com.

domainlistifneeded (domainlistalways or domainlistifneeded parameter required)—AnyConnect evaluates a domain request for a match against this list if a DNS error occurred. If a string in this list matches the domain, Apple iOS attempts to establish a VPN connection. AnyConnect inserts this list into the Connect if Needed field of the AnyConnect connection entry. The most common use case for this list is to obtain brief access to an internal resource that is not accessible in a LAN within the corporate network. An example value is intranet.example.com.

Use a comma-delimited list to specify multiple domains. The Connect-on-Demand rules support only domain names, not IP addresses. However, AnyConnect is flexible about the domain name format of each list entry, as follows:

Figure 3 AnyConnect Domain Matching

Match
Instruction
Example Entry
Example Matches
Example Match Failures

Exact prefix and domain name only.

Enter the prefix, dot, and domain name.

email.example.com

email.example.com

www.example.com

email.1example.com

email.example1.com

email.example.org

Any prefix with the exact domain name. The leading dot prevents connections to hosts ending with *example.com, such as notexample.com.

Enter a dot followed by the domain name to be matched.

.example.org

anytext.example.org

anytext.example.com

anytext.1example.org

anytext.example1.org

Any domain name ending with the text you specify.

Enter the end of the domain name to be matched.

example.net

anytext.anytext-example.net

anytext.example.net

anytext.example1.net

anytext.example.com


Using the URI Handler to Establish a VPN Connection

Embed connection information in URIs and provide these URIs to users so they can easily establish VPN connections.

Create URI strings that perform the following tasks:

Provide the Connection Name and Host Name in a URI

Provide Connection Information and Prefill a Username and Password in a URI

Provide Connection Information and Prefill Usernames and Passwords for Double Authentication

Provide Connection Information, Prefill a Username and Password, and Specify a Connection Alias

See also, Connect Parameter and Syntax Descriptions.

Provide the Connection Name and Host Name in a URI

Use either syntax expression to insert the name and host parameter in the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]
anyconnect:[//]connect[/]?name=Description&host=ServerAddress

Examples of completed URIs

anyconnect://connect/?name=Example
anyconnect:connect?host=hr.example.com
anyconnect:connect?name=Example&host=hr.example.com
See Connect Parameter and Syntax Descriptions for expanded descriptions of the parameters and 
additional syntax requirements. 

Provide Connection Information and Prefill a Username and Password in a URI

Use either syntax to specify the prefilled username and prefilled password parameters in addition to name and host parameter in the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]&prefill_username=username&
prefill_password=password
anyconnect:[//]connect[/]?name=Description&host=ServerAddress&prefill_username=username&pr
efill_password=password

Examples of completed URIs

anyconnect://connect/?name=Example&host=hr.example.com&prefill_username=user1&prefill_pass
word=password1
anyconnect:connect?name=Example&host=hr.example.com&prefill_username=user1&prefill_passwor
d=password1

See Connect Parameter and Syntax Descriptions for expanded descriptions of the parameters and additional syntax requirements.

Provide Connection Information and Prefill Usernames and Passwords for Double Authentication

Use either syntax to specify the prefilled primary and secondary usernames and prefilled passwords parameters in addition to name and host parameter in the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]&prefill_username=username&
prefill_password=password&prefill_secondary_username=username2&prefill_secondary_password=
password2

anyconnect:[//]connect[/]?name=Description&host=ServerAddress&prefill_username=username&prefill_password=password&prefill_secondary_username=username2&prefill_secondary_password=password2

Examples of completed URIs

anyconnect://connect/?name=Example&host=hr.example.com&prefill_username=user1&prefill_password=password1&prefill_secondary_username=user2&prefill_secondary_password=password2

anyconnect:connect?name=Example&host=hr.example.com&prefill_username=user1&prefill_password=password1&prefill_secondary_username=user2&prefill_secondary_password=password2

See Connect Parameter and Syntax Descriptions for expanded descriptions of the parameters and additional syntax requirements.

Provide Connection Information, Prefill a Username and Password, and Specify a Connection Alias

This example adds a connection alias to a URI that provides a prefilled username and prefilled password in addition to name and host parameter for the connect action:

anyconnect:[//]connect[/]?[name=Description|host=ServerAddress]&prefill_username=username&
prefill_password=password&prefill_group_list=10.%20Single%20Authentication
anyconnect:[//]connect[/]?name=Description&host=ServerAddress&prefill_username=username&pr
efill_password=password&prefill_group_list=10.%20Single%20Authentication

Examples of completed URIs

anyconnect://connect/?name=Example&host=hr.example.com&prefill_username=user1&prefill_pass
word=password1&prefill_group_list=10.%20Single%20Authentication
anyconnect:connect?name=Example&host=hr.example.com&prefill_username=user1&prefill_passwor
d=password1&prefill_group_list=10.%20Single%20Authentication

See Connect Parameter and Syntax Descriptions for expanded descriptions of the parameters and additional syntax requirements.

Connect Parameter and Syntax Descriptions

The connect action requires either the name and host parameters, but allows both. Otherwise, if all the parameter values in the statement match those of an AnyConnect connection entry on the device, Apple iOS uses the remaining parameters to establish the connection. If AnyConnect does not match all parameters in the statement to those in a connection entry and the name parameter is unique, it generates a new connection entry. Apple iOS then attempts the VPN connection.

The slashes in the beginning of the URI are optional.

To match a space, enter %20. For example, to match a connection entry named Example Connection 1, enter Example%20Connection%201. All characters that are not [a-z], [A-Z], and [0-9] have to be URI-encoded.

These are descriptions of the connect parameter options:

name—Name of the connection entry as it appears in the connection list of the AnyConnect home screen. AnyConnect evaluates this value against the Description field of the AnyConnect connection entries, also called name if you used the previous instructions to create the connection entry on the Apple iOS device. The value is case-sensitive; AnyConnect does not match this field if the case of the letters in the statement differ from those in the connection entries.

host—Enter the domain name, IP address, or Group URL of the ASA to match the Server Address field of an AnyConnect connection entry, also called the host if you used the previous instructions to generate the connection entry on the Apple iOS device.

prefill_username - Provides the username in the connect URI and prefills it in connection prompts.

prefill_password - Provides the password in the connect URI and prefills it in connection prompts.


Caution Prefill password field should only be used with connection profiles configured for one-time passwords.

prefill_secondary_username - In environments that are configured to required double authentication, this parameter provides the secondary username in the connect URI and prefills it in the connection prompts.

prefill_secondary_password - In environments that are configured to required double authentication, this parameter provides the password for the secondary username in the connect URI and prefills it in the connection prompts.

prefill_group_list - This is the connection alias defined in ASDM by selecting Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles > Advanced > Group Alias/Group URL > Connection Aliases.

Using the URI Handler to Disconnect from a VPN

Use the following syntax to insert the disconnect action:

anyconnect:[//]disconnect[/]
 
   

Examples:

anyconnect://disconnect/
anyconnect:disconnect
 
   

The slashes are optional. The disconnect action takes no parameters.

Using the URI Handler to Localize the AnyConnect UI and Messages


Note You must have Apple iOS 5, or later, installed on the mobile device to use the URI handler to localize AnyConnect UI and messages.


Use the following syntax to use the import command in a URI:

anyconnect:[//]import[/]?type=localization&lang=LanguageCode&host=ServerAddress
 
   

Example:

anyconnect:import?type=localization&lang=fr&host=asa.example.com
 
   

The slashes are optional. The import action requires the host parameter. The type, lang and host parameters are defined below:

type—The import type, in this case, it is always be localization.

lang—The two or four character language tag representing the language provided in the anyconnect.po file. For example, the language tag may simply be fr for "French" or fr-ca for "Canadian French."

host—Enter the domain name or IP address of the ASA to match the Server Address field of an AnyConnect connection entry.

Using the URI Handler to Import a PKCS12 Encoded Certificate Bundle

The AnyConnect client authenticates itself to the ASA using a PKCS12 encoded certificate that has been installed on the endpoint. Use the URI handler import command to import a PKCS12 encoded certificate bundle to the endpoint.

Use the following syntax to import a PKCS12 certificate from a URL:

anyconnect://import/?type=pkcs12&uri=http%3A%2F%2Fexample.com%2FCertName.p12
anyconnect:import?type=pkcs12&uri=http%3A%2F%2Fexample.com%2FCertName.p12

The slashes in the beginnings of the URI are optional.

To match a space, enter %20. For example, to match a string named Example Connection 1, enter Example%20Connection%201.

To match a colon in a URI, use %3A. To match a forward slash in a URI, use %2F. For example, to match http://example.cisco.com/CertName.p12 enter http%3A%2F%2Fexample.cisco.com%2FCertName.p12

These are descriptions of the import parameter options:

type - Only pkcs12 certificate type is supported

uri - URL Encoded identifier where the certificate can be found. We support "http", "https", and "ftp". In the URI, %3A represents a colon (:), %2F represents a forward slash (/), and %40 represents an ampersand (@).

HTML Hyperlink Examples

To add the URI to an HTML page, you need to make it part of a hyperlink. Here are examples that show how to use the URI in an HTML hyperlink. The part of the example in bold is the URI.

HTTP Example

<p>
<a href="anyconnect:import?type=pkcs12&uri=http%3A%2F%2Fexample.com%2FCertName.p12> 
click here to import certificate using http</a>
</p>

FTP Example

<p>

<a href="anyconnect://import?type=pkcs12&uri=ftp%3A%2F%2FAdministrator%3Apassword%40192.168.10.20%2Fcerts%2FCertName.pfx">click here to import certificate using ftp </a>

</p>

Secure Digital Card Example

<p>

<a href="anyconnect://import?type=pkcs12&uri=file%3A%2F%2F%2Fsdcard%2CertName.pfx">click here to import certificate from sdcard on mobile device</a>

</p>

Using the URI Handler to Import a VPN Client Profile

Use this URI handler method to distribute client profiles to AnyConnect clients.

Use the following syntax to use this import command in a URI:

anyconnect:[//]import[/]?type=profile&uri=Filename.xml
 
   

Example:

anyconnect:import?type=profile&uri=file%3A%2F%2Fsdcard%2Fprofile.xml
 
   

The slashes are optional. The import action requires the uri parameter.

Other Apple iOS Specific Considerations

The following considerations should be taken into account to support AnyConnect on Apple iOS devices:

Use the iPhone Configuration Utility, available from Apple for Windows or Mac OS X, to create and deploy configurations to an Apple iOS device.

Apple iOS does not support discerning between trusted and untrusted networks. The Apple iOS Connect On Demand feature starts a VPN connection when a user attempts to access any destination with a hostname specified in the appropriate domains list. For example, if `.example.com' is in the Always Connect list, when a user goes to internal.example.com, the client starts a VPN connection regardless of the network to which the device is currently connected.

We recommend using the Connect if Needed option if you configure rules. A Connect if Needed rule initiates a VPN connection if the DNS lookup to an internal host fails. It requires a correct DNS configuration so that host names within the enterprise are only resolved using internal DNS servers.

We recommend disabling keepalive messages to conserve battery life of mobile devices if client-side dead peer detection is already enabled. To access the Keepalive Messages parameter, use ASDM to go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit > Advanced > AnyConnect Client.

Server-sided DPD should be switched off as it prevents the device from sleeping. However, client-side DPD should remain switched on as it enables the client to determine when the tunnel is terminated due to a lack of network connectivity.


Note Push email notifications do not work via VPN because of Apple iOS constraints. However, one can use AnyConnect in parallel with externally accessible ActiveSync connections, which the tunnel policy can exclude from the session.


Troubleshooting

Enable logging on the device and follow the user troubleshooting instructions in either of the following guides:

iPhone User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.5

iPad User Guide for Cisco AnyConnect Secure Mobility Client, Release 2.5

The user troubleshooting steps are the same for the iPhone and iPad, although the user interfaces do differ. If following those instructions does not resolve the issue, try the following suggestions:

Determine whether the same problem occurs with the desktop client.

Ensure the AnyConnect Mobile license is installed on the ASAs.

If the VPN connection is not restored after the device wakes up, ensure Network Roaming is enabled and that Auto-Reconnect is enabled in the profile.

If certificate authentication fails, ensure the correct certificate has been selected. Ensure that the client certificate on the device has Client Authentication as an Extended Key Usage. Ensure the certificate matching rules in the AnyConnect profile are not filtering out the user's selected certificate. Even if a user selected the certificate, it is not be used for authentication if it does not match the filtering rules in the profile. If your authentication mechanism uses any associated accounting policy to an ASA, verify that the user can successfully authenticate. If problems persist, enable logging on the client and enable debug logging on the ASA.

If you see an authentication screen when you are expecting to use certificate-only authentication, configure the connection to use a group URL and ensure that secondary authentication is not configured for the tunnel group. For details, refer to your ASA Administrator Guide.

If Apple iOS prompts you to start a connection using the AnyConnect application when certificate authentication and the Apple iOS Connect On Demand feature are configured for the connection, configure the connection to use a Group URL. Both a Group URL and certificate-only authentication are requirements for Connect on Demand.