Reading
Add Comment
Task:
These steps are necessary to connect an iPhone to a Windows VPN server. It explains how togenerate Apple iOS mobile-config scripts with Apple Configurator 2. These mobile configuration scripts configure settings unavailable through the iPhone GUI (e.g., IKEv2 cryptography algorithms),
Requirements:
- Apple OSX running Apple Configurator 2
- Server certificates: Root_CA.cer and VPN_Server.cer(s).
N.B., this process does not require the private keys for the Root CA or VPN server. - Client Certificate
(a) Subject CN in username format (e.g., smj@stevenjordan.net).
(b) Enhanced Key Usage (EKU) uses client authentication (1.3.6.1.5.5.7.3.2).
(c) Subject Alternative Name with DNS attribute that matches the subject CN
(e.g., DNS Name=smj@stevenjordan.net)
(d) IKEv2 requires RSA (2048) SHA256 certificate.
Administrative Process:
Process consists of three steps: (a) Create, (b) distribute, and (c) import the mobile-config.Mobile Config
Create the mobile-config using Apple Configurator 2. N.B., this process requires the Root CA and VPN server certificates (e.g., CER files). The device certificate and private key is optional (i.e., device.PFX). Additional PFX considerations:- IKEv2 VPN authentication requires PFX installation.
- Merging the PFX and the mobile-config provides the best user experience.
- All PFX installations require special security precautions -regardless of mobile-config.
- Self-service MDM makes administration easier..
Apple Configurator 2:
- Start the Configurator and create a new profile: File → New Profile. Alternetly, edit an existing profile: File → Open → Shoreland_Mobile_Config.
- General Tab: Name, identifier (default), Organization, etc.
- Certificates Tab: Import root.crt, VPN_server.crt. Import device.pfx (i.e., client cert and private key (optional).
- VPN Tab:
Table 1. Apple Configurator 2 IKEv2 VPN Example.
Connection Name
|
*
|
Connection Type
|
IKEv2
|
Server
|
VPN FQDN (public
facing)
(e.g., vpn.stevenjordan.net) |
Remote Identifier
|
VPN FQDN (public
facing)
|
Local Identifier
|
Subject CN from
client certificate.
(e.g., smj@stevenjordan.net) |
Machine
Authentication
|
Certificate
|
Identify
Certificate (Optional)
|
Choose
User_Device.PFX from pull-down menu.
|
Certificate Type
|
RSA
|
Server Certificate
Issuer Common Name
|
Root CA Issuer
(CN).
(e.g., Jordan_Root_CA) |
Server Certificate
Common Name
|
VPN FQDN (e.g.,
vpn.stevenjordan.net)
|
IKE SA Params
|
Encryption
Algorithm: AES-256
Integrity Algorithm: SHA2-256 Diffie-Hellman Group: 14 |
Child SA Params
|
Encryption
Algorithm: AES-256
Integrity Algorithm: SHA1-96 Diffie-Hellman Group: 14 |
5. Save mobile-config:
File → New Profile. Optionally Sign the profile. Signing the code is optional and requires a certificate from Apple. Save to an accessible location (e.g., Documents).
Distribute Mobile-Config
The safest method to distribute these mobile configuration scripts, especially those with private keys, is from a mobile device management (MDM) server. Apple Configurator works as a secure MDM solution. The process configures each device via USB. The process is not 100% automated -but it is secure. http://simplemdm.com/2016/03/14/how-to-enroll-in-mdm-with-apple-configurator-2/
Alternately, organizations can distribute mobile-config scripts via email or web. For example, use Outlook OWA, upload to a website, or use a corporate OneDrive. Include the device.pfx if not incorporated in the mobile-config.
Please consider the security risks associated with these alternative distribution methods. Certificates and private keys are used to validate identity. We DO NOT want the wrong person to intercept this data. It will allow them to authenticate to network servers, send email, etc... Please use common sense. Always delete private keys after installation is complete.
Import Mobile-Config
Send the end-user an email with the mobile-config. The email can include the mobile-config file as an attachment. The end-user simply needs to open the attachment to start the installation process.
- Installation requires the end-user's device PIN.
- The end user will receive an alert that the mobile-config file is not signed
- The end user must install user certificates and private keys (e.g. device.pfx) as required. PKIs can be incorporated into the mobile-config script.
- User may receive a warning that the PFX is not signed or trusted.
Additional Information:
Alternatives to Apple Configurator: Edit mobile-config XML scripts with Notepad++: http://www.stevenjordan.net/2016/11/ikev2-mobile-config-script.html
How to add certificates and private keys within mobile-config XML scripts using Notepad++:
http://www.stevenjordan.net/2016/11/add-certs-to-mobile-config-xml.html
http://www.stevenjordan.net/2016/09/harden-rras-ikev2.html
Configure Windows Server IKEv2 VPNS:
http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html
MDM
Network Administration
VPN
http://www.stevenjordan.net/2016/11/add-certs-to-mobile-config-xml.html
http://www.stevenjordan.net/2016/09/harden-rras-ikev2.html
Configure Windows Server IKEv2 VPNS:
http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html
0 Comments:
Post a Comment