Manualshelf

Enterprise Deployment Manual

ManualsBrandsApple ManualsOtheriphone
61626364656667686970
Table Of Contents
68 Appendix A Cisco VPN Server Configuration
Authentication Groups
The Cisco Unity protocol uses authentication groups to group users together based on
a common set of authentication and other parameters. You should create an
authentication group for iPhone OS device users. For pre-shared key and hybrid
authentication, the group name must be configured on the device with the groups
shared secret (pre-shared key) as the group password.
When using certificate authentication, no shared secret is used and the users group is
determined based on fields in the certificate. The Cisco server settings can be used to
map fields in a certificate to user groups.
Certificates
When setting up and installing certificates, make sure of the following:
 The server identity certificate must contain the servers DNS name and/or IP address
in the subject alternate name (SubjectAltName) field. The device uses this
information to verify that the certificate belongs to the server. You can specify the
SubjectAltName using wildcard characters for per-segment matching, such as
vpn.*.mycompany.com, for more flexibility. The DNS name can be put in the common
name field, if no SubjectAltName is specified.
 The certificate of the CA that signed the server’s certificate should be installed on the
device. If it isn’t a root certificate, install the rest of the trust chain so that the
certificate is trusted.
 If client certificates are used, make sure that the trusted CA certificate that signed the
client’s certificate is installed on the VPN server.
 The certificates and certificate authorities must be valid (not expired, for example.).
 Sending of certificate chains by the server isn’t supported and should be turned off.
 When using certificate-based authentication, make sure that the server is set up to
identify the user’s group based on fields in the client certificate. See “Authentication
Groups” on page 68.