iOS 12 and Global Protect 5.0 - Problem

Vali
Comes here often

iOS 12 and Global Protect 5.0 - Problem

Hello there,

 

we will be experiencing a huge problem soon, if there isn't any option to directly embed a certificate to the VPN Settings of iOS Device in Meraki. We are using iOS all over the company and manage them with the Meraki Systems Manager. iOS 12 is out there and it won't work with the new version of Global Protect 5.0 ( our VPN Client) if we cannot deploy the client certificates as part of the VPN profile:

 

"If you manage iOS endpoints using an MDM system and want to use client certificates for GlobalProtect client authentication, you must now deploy the client certificates as part of the VPN profile that is pushed from the MDM server."  --> https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

 

We have the legacy version of Meraki.

 

Thanks for your answers in advanced.

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Are you sure it doesn't support SCEP?  If so, you know need to deploy the certificates via Systems Manager.

https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-certificat...

 

Next thought, Systems Manager can create and deploy a certificate (that Meraki creates) for WiFi authentication.  Perhaps you could use the same certificate.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

Vali
Comes here often

Hi Philip,

the second one doesn't solve the problem and the first one too. I need to embed a certificate to the VPN Settings in Meraki as an authentication method. See here https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

I created new Profile now and suddenly have got more Connection Types ( not only L2TP ). I will try it out with IPSec and post here if i've had any luck.
Vali
Comes here often

Well i tried IPSec and IKEv2 connection types but still no success. The problem is that iOS 12 doesn't allow anymore direct access to the phone certificates from another apps ( like Global Protect in my case ). Is there any update for Meraki Systems Manager planned  to fix this issue ?

PhilipDAth
Kind of a big deal
Kind of a big deal

If that is the case then the Meraki Systems Manager may also face the same restriction.

 

It sounds like you need a new solution from Global Protect given the new iOS restrictions.

 

Perhaps use an MFA like Duo instead?

Vali
Comes here often

Global Protect has already have new solution -> read the article carefully https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

I think the problem in Meraki is the third step from the article

  • 3. When the Identifier field appears, enter the following bundle ID to identify the new GlobalProtect app:
    com.paloaltonetworks.globalprotect.vpn

I do not have any Identifier field within the IPSec connection type. So i guess the VPN Config can not locate the GP App. Another thing: i get a second VPN Config from VPN on the iOS Device, so i can either use the GP or the one from Meraki, but both do not work.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

That does not look good - it looks like these changes to IOS 12 are going to require a bunch of new development effort, on multiple fronts.  This iOS 12 change is going to break a lot of things.

 

I would not personally expect support for these new restrictions any time soon.  I think you would be better off not allowing the upgrade to IOS 12.  The loss of security capability is probably worse than any other new functionality.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels