I have been working on migrating the Cisco ASA VPN from an RSA key solution to a Symantec VIP Access solution that integrates with smart devices e.g. iPhone, iPad through an App.
For this to work I ran through the below:
- Create a service account for Symantec VIP to be able to read AD
- Create a group for enabled users to be able to access ASA-VIP VPN
Symantec VIP server
- Create a user store
- Attach the above AD group for enabled users
- Configure RADIUS Validation details including port and shared secret
- Create a new IPSec Connection Profile with a new Pre-shared key
- Configure a new AAA Server Group which used the RADIUS authentication protocol
- Create a AAA Server (the Symantec VIP server)
- Set the Server Authentication and Accounting ports as well as the RADIUS Server Secret Key and Common Password which were initially setup on the VIP server
- Assign the DHCP Servers
- Assign the Group Policy
Note: The IPSec Connection Profile is case-sensitive.
On the client machine, I changed the corresponding profile parameters e.g. Connection Profile and Pre-shared key. The destination address points to the Outside interface of the ASA. When you hit connect button, the authentication box appears followed by a prompt on the iPhone VIP App seeking approval for the access. When approval is granted, the VPN connection completes and the padlock is displayed within the Cisco VPN client.