Operation Manual

ManualsBrandsApple ManualsOtheriOS Implementierung

Chapter 4 Infrastructure and integration 37

•

Username with password

•

RSA SecurID

•

CRYPTOCard

Authentication groups

The Cisco Unity protocol uses authentication groups to group users based on a common set

of parameters. You should create an authentication group for iOS users. For pre-shared key and

hybrid authentication, the group name must be congured on the device with the group’s

shared secret (pre-shared key) as the group password.

When using certicate authentication, there’s no shared secret. A user’s group is determined

from elds in the certicate. The Cisco server settings can be used to map elds in a certicate to

user groups.

RSA-Sig must be the highest priority on the ISAKMP priority list.

Certicates

When you set up and install certicates:

•

The server identity certicate must contain the server’s DNS name or IP address in the

SubjectAltName eld. The device uses this information to verify that the certicate belongs to

the server. For more exibility, you can specify the SubjectAltName using wildcard characters

for per-segment matching, such as vpn.*.mycompany.com. If no SubjectAltName is specied,

you can put the DNS name in the common name eld.

•

The certicate of the CA that signed the server’s certicate needs to be installed on the device.

If it isn’t a root certicate, install the rest of the trust chain so that the certicate is trusted.

If you use client certicates, make sure the trusted CA certicate that signed the client’s

certicate is installed on the VPN server. When using certicate-based authentication, make

sure the server is set up to identify the user’s group, based on elds in the client certicate.

Important: The certicates and certicate authorities must be valid (for example, not expired).

Sending of certicate chain by the server isn’t supported.

IPSec settings and descriptions

IPSec has various settings that you can use to dene how it will be implemented:

•

Mode: Tunnel mode.

•

IKE Exchange Modes: Aggressive Mode for pre-shared key and hybrid authentication or Main

Mode for certicate authentication.

•

Encryption Algorithms: 3DES, AES-128, or AES256.

•

Authentication Algorithms: HMAC-MD5 or HMAC-SHA1.

•

Die-Hellman Groups: Group 2 is required for pre-shared key and hybrid authentication.

Group 2 with 3DES and AES-128 for certicate authentication. Group 2 or 5 with AES-256.

•

PFS (Perfect Forward Secrecy): IKE phase 2, if PFS is used, the Die-Hellman group must be the

same as was used for IKE phase 1.

•

Mode Conguration: Must be enabled.

•

Dead Peer Detection: Recommended.

•

Standard NAT Traversal: Supported and can be enabled (IPSec over TCP isn’t supported).

•

Load Balancing: Supported and can be enabled.

•

Rekeying of Phase 1: Not currently supported. It’s recommend that rekeying times on the

server be set to one hour.

100% resize factor