cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

iOS 12 and Global Protect 5.0 - Problem

Highlighted
Comes here often

iOS 12 and Global Protect 5.0 - Problem

Hello there,

 

we will be experiencing a huge problem soon, if there isn't any option to directly embed a certificate to the VPN Settings of iOS Device in Meraki. We are using iOS all over the company and manage them with the Meraki Systems Manager. iOS 12 is out there and it won't work with the new version of Global Protect 5.0 ( our VPN Client) if we cannot deploy the client certificates as part of the VPN profile:

 

"If you manage iOS endpoints using an MDM system and want to use client certificates for GlobalProtect client authentication, you must now deploy the client certificates as part of the VPN profile that is pushed from the MDM server."  --> https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

 

We have the legacy version of Meraki.

 

Thanks for your answers in advanced.

6 REPLIES 6
Highlighted
Kind of a big deal

Re: iOS 12 and Global Protect 5.0 - Problem

Are you sure it doesn't support SCEP?  If so, you know need to deploy the certificates via Systems Manager.

https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/device/device-certificat...

 

Next thought, Systems Manager can create and deploy a certificate (that Meraki creates) for WiFi authentication.  Perhaps you could use the same certificate.

https://documentation.meraki.com/MR/Encryption_and_Authentication/Certificate-based_WiFi_authenticat...

Highlighted
Comes here often

Re: iOS 12 and Global Protect 5.0 - Problem

Hi Philip,

the second one doesn't solve the problem and the first one too. I need to embed a certificate to the VPN Settings in Meraki as an authentication method. See here https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

I created new Profile now and suddenly have got more Connection Types ( not only L2TP ). I will try it out with IPSec and post here if i've had any luck.
Highlighted
Comes here often

Re: iOS 12 and Global Protect 5.0 - Problem

Well i tried IPSec and IKEv2 connection types but still no success. The problem is that iOS 12 doesn't allow anymore direct access to the phone certificates from another apps ( like Global Protect in my case ). Is there any update for Meraki Systems Manager planned  to fix this issue ?

Highlighted
Kind of a big deal

Re: iOS 12 and Global Protect 5.0 - Problem

If that is the case then the Meraki Systems Manager may also face the same restriction.

 

It sounds like you need a new solution from Global Protect given the new iOS restrictions.

 

Perhaps use an MFA like Duo instead?

Highlighted
Comes here often

Re: iOS 12 and Global Protect 5.0 - Problem

Global Protect has already have new solution -> read the article carefully https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...

I think the problem in Meraki is the third step from the article

  • 3. When the Identifier field appears, enter the following bundle ID to identify the new GlobalProtect app:
    com.paloaltonetworks.globalprotect.vpn

I do not have any Identifier field within the IPSec connection type. So i guess the VPN Config can not locate the GP App. Another thing: i get a second VPN Config from VPN on the iOS Device, so i can either use the GP or the one from Meraki, but both do not work.

 

Highlighted
Kind of a big deal

Re: iOS 12 and Global Protect 5.0 - Problem

That does not look good - it looks like these changes to IOS 12 are going to require a bunch of new development effort, on multiple fronts.  This iOS 12 change is going to break a lot of things.

 

I would not personally expect support for these new restrictions any time soon.  I think you would be better off not allowing the upgrade to IOS 12.  The loss of security capability is probably worse than any other new functionality.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels