Apple Devices and Cisco VPN Client

If you’ve ever used an iPad or iPhone to connect up to an ipsec vpn endpoint, you’ll be familiar with this screen.

I’ve been using these connections for a while now, mainly connecting to Cisco ASA firewalls. I use these VPN tunnels for both personal and business requirements. In the past I haven’t been able to find a way to save the password, which means every time I want to connect to the VPN I have to type in my password. Anyone who knows me will know that I don’t do short passwords, so typing in a long complex password every time I connect is a huge pain in the ass.

Until recently, I though this was a problem in IOS and Apple’s need to be overly secure. It wasn’t until recently I found out this is actually a Cisco issue. It’s a security restriction put in place by default on the Cisco iPhone client and the Cisco VPN termination device, and the good news is that there is a fix!

If you want to enable the apple clients to save their password, add the following line to the vpn group configuration on your Cisco ASA/Pix:

Log on to the ASA/Pix and enter configuration mode:

PBS-WA-ASA5510# conf t
PBS-WA-ASA5510(config)#

Find the group policy for the the VPN group you want to enable saved passwords

PBS-WA-ASA5510(config)# group-policy vpnusers attributes
PBS-WA-ASA5510(config-group-policy)#

Add the config to allow saved passwords

PBS-WA-ASA5510(config-group-policy)# password-storage enable
PBS-WA-ASA5510(config-group-policy)#

et voila!

Users will be able to save the password on the IOS device. They will still need to enter it the first time they log in, but not for subsequent logins.

Hope you find this useful. Don’t forget to save your config…