Cisco Cisco ASA 5555-X Adaptive Security Appliance

Page 10 of 16

Distributing Client Certificates

iOS, Android, Windows, and Mac OS X:

1. The ASA supports the Simple Certificate Enrollment Protocol (SCEP) to simplify certificate distribution.

iOS Devices Specific

2. Use the iPCU software to create a .mobileconfig file and include the certificate (.pfx) file. The administrator can

then forward the .mobileconfig file to the user. When the user launches the file, it will install certificates to the

device.

3. The Cisco Identity Services Engine (ISE) native supplicant provisioning process can be used to distribute user

certificates.

4. Enterprise MDM software can provision and publish certificates to registered devices.

Windows Specific

5. On Windows laptops that have joined the AD domain, Microsoft group policy object (GPO) policies can be

used to distribute machine certificates.

Simple Certificate Enrollment Protocol

18, 19

The AnyConnect client uses SCEP to securely issue and renew a certificate used for client authentication. The

remote user launches AnyConnect and authenticates using Active Directory or a one-time token password for the

first time. After establishing the VPN, the ASA pushes a client profile that includes the SCEP request. The

AnyConnect client then sends a certificate request and the CA automatically accepts or denies the request. The

certificate is installed in the device native certificate store. For all subsequent connections the AnyConnect client

uses the newly obtained certificate for authentication and will never prompt the user for a password.

Enhancing the Usability of the VPN Connection

After the VPN connection is established, there are many session parameters in the ASA that define the user

experience of Cisco AnyConnect and Jabber. We will discuss some of the best practices for these parameters.

Datagram Transport Layer Security (DTLS)

DTLS is a standards-based SSL protocol that provides a low-latency data path using UDP. DTLS allows the

AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels - an SSL tunnel and a

DTLS tunnel. DTLS avoids latency and bandwidth problems and improves the performance of real-time

applications such as Jabber that use RTP media streams on UDP. If DTLS is configured and UDP is interrupted,
the remote user’s connection automatically falls back from DTLS to TLS. DTLS is enabled by default when using

AnyConnect and is a valuable and essential feature to ensure the most optimal remote Jabber connection.

SCEP:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b25dc1.shtml

SCEP-2:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac03features.html#wp10731
95

DTLS:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/admin5.html#wp999810