For those of you that haven't been to one of my sessions I'm Shawn Geddis, enterprise consulting engineer and through my work with a lot of the government and enterprise customers, VPN access has been one of the trouble spots. Has anybody had that situation? Is that why you are all here? The typical environment, there's so many as you hopefully understand, there's far too many VPN remote access type solutions to be able to cover all this in a session.

So we are going to hit on a couple and I think one thing that we definitely want to do at the end, we want to have a really good Q&A cause I think that's kind of where we can drill down to a little bit more of the troubling area's that you might be facing that we haven't covered here. So this is going to be a little bit higher level overview then some of you may need to have for some low level trouble shooting but we'll do our best.

So we kind of want to talk about internet connect being the application for remote access and in some of your environments you know how we, what do we need to do to configure that. How do we need to get into your, setup your networks? So hopefully we are going to, first of all those not aware we want to help you understand what some of the challenges are in providing the services.

Understanding the services in OS X for remote access, some specific enhancements that we've done, even in the end of the Tiger train and with Leopard and hopefully cover some of the integration into some of the environments and vary little by the way of providing troubleshooting at least in this session right now, but we can help you with information going forward. So again hopefully you are going to learn a little bit what's going on in OS X in remote access, the compatible enhancements in 10.4 that we've added along the way and in 10.5.

So let's start with remote access, Internet Connect that's typically what you're all using for setting up your internet connections. On the VPN side of the house you've got layer two and point to point and it be kind of interesting to know who all's using layer two over point to point or taking other solutions. But we'll just hit on a couple of these and we can maybe talk a little more in dept with some of you maybe even in Q&A.

So if you look at the configuration within Internet Connect on here, within a setup for say a layer two for IPSec the user authentication options that you have obviously the password, one time passwords as well with securID with CRYPTOcard certificates Kerberos and then there is machine authentication, right some of you are wanting to do more in the machine authentication area.

We do support both the shared secret certificates and I think I have the enhancements we did along the way in Tiger so some of you may have seen this. Some of you may have been able to all of a sudden, things worked maybe after one of the software updates.

Kerberos related with IPSec, group filtering with Cisco. Anybody doing groups on Cisco Concentrators, okay a couple of you. And NAT traversal is a big issue. They did some definite improvements on the compatibility on the NAT traversal and during those builds to that's when we added CRYPTOcard as the second one time password support as well and we as Apple we use the CRYPTOcard solution quite extensively. So when, we were just covering the one time password, both CRYPTOcard and securID are available on there as well. I think I was just pointing that out to those folks that weren't aware of it.

Okay enhancements in Leopard, continuation with NAT traversal, that's a situation if you had both the client and the server behind a NAT. Hopefully people were able to leverage that if they were having trouble if there server itself was also behind a NAT. And of course the enhancements with DHCP over PPP in the same time frame with Leopard enhancements here with getting the static routes, search domains and all from the concentrator. That's adding the enhanced compatibility that both Microsoft and Cisco. So if you're in those environments that will improve when you get, when you come out with Leopard.

Hello. So here we go with, lets kind of walk through the situation to better understand what's going on with communication, the components that are in there and what you need to know with respect to the exchange of information. So first of all lets specifically look right now at just layer two tunneling protocol over IPSec, kind of connectivity here, in this scenario I've got one of our laptops set up with remote access with internet connect.

I'm going to say Cisco 3000 a line concentrator and in the end there we are looking at authentication server typically in this environment people are using like a Windows IIS server bound to AD. So as I am doing my request from my laptop, I'm going to do the request to the concentrator. The concentrator is then going to make the request back to me, to my client saying okay who are you? Prove your identity.

And I'm going to provide that back to the concentrator and in this environment we're going to go in a little bit more in depth as to what's necessary her because in this case the Cisco 3000's not going to be able to terminate the EAP-TLS session here, so what happens is, its actually passing this off as a RADIUS request to the Windows IIS server, and that's some area's where some people may have had some issues. So were actually passing it off as a RADIUS request to the authentication server, if everything is okay with that identity, RADIUS success comes on back to the concentrator and of course then we're in, session complete.

So lets look a little closer at some of the configuration issues you might have with that 3000 line. One is that on the, on a Cisco concentrator side since we are doing layer two right, we are not doing a pure IPSec connection from the client to the concentrator, your actually having to set up the concentrator.

Set it up for eight proxies, right and then doing RADIUS to that authentication server, or in this case we are doing groups who are doing that shared key, and we're going to get into a little bit more about the fact that within those concentrators there's issues with the groups. You got the base group and then you got some additional configuration for various groups. So the fact that layer two of our, layer two of our tunneling protocol over our IPSec is kind of the key point here.

There's all kinds of stuff we can get into but one of the key pieces is that you're additionally on the concentrator, your having to set up the authentication servers. Many of you have got, are familiar with the administration on the concentrators here. Got some of the parameters that you can go back on the slides later on and check and compare along with your configuration on your concentrators but the key thing here I think is really coming up in a second as soon as I.

Now we get onto the authentication server, okay and we are doing this with RADIUS because that's what necessary to do that request to terminate the TLS validation that we started from the client's side. Not doing so well with my clicker here. In conjunction with this since most folks have been using potentially the Cisco client to go to the Cisco concentrator the client itself was doing pure IPSec. Once you have the need or you're shifting over to use internet connect to do layer two, most of you haven't done the corresponding opening of the ports for layer two to get that connection.

So be aware both between, be aware of which ports you need open between a client and your concentrator and of course between the concentrator and your authentication server, in this case RADIUS. Depending on which way you use, whether you are using a 1812 or kind of legacy 1645. E That's actually how I caught several people by surprise.

Just because they didn't have it configured that way before. So let's kind of look, step back a little bit at the client and how would you set this up. I have it here related to the smart card but it doesn't have to be that, again we are using EAP-TLS.

With user authentication every panel whether its layer two, point to point 802.1x others, you're always going to get the select certificate panel. How many people are doing EAP-TLS? How many people actually doing client side authentication with certificates? Is this in an area that most of you are not doing? Interesting.

Okay. How many of you are trying to do machine authent or machine authentication? No's, surprising. Same thing here just want to hit quickly on this same enhancements we had with point to point, one time passwords with both securID and CRYPTOcard certificate support and the enhancements that we have in there are of course the added CRYPTOcard components.

So if we do the same thing with our connections here, boy this clicker is not doing, with point to point again keep in mind the ports you need open on these, I am surprised how frequent that is again if you are doing the Cisco client you didn't have to have these open because you are doing a straight IPSec communication between the client and the concentrator. VPN on demand, any body using VPN on demand on internet connect, boy.

The VPN on demand is quite helpful particularly for your objectives maybe, people that aren't really familiar with how to start the internet connect or how to start the remote access session and just to kind of reaffirm here real quickly for you, okay we will get this. VPN on demand is your ability to configure what domains are tied to what configuration, so if I am going to a host here in my talkback.company.com domain, its instantly going to launch my VPN on demand configuration, whatever that is.

That now removes a layer of kind of complexity, gives a little bit more of ease of use for the user. I don't have to now launch remote access to know what's going on, it's going to be launched for me. The services if I have to authenticate with a token, with a password, whatever I need to do, that will take place automatically for me.

Now you shift from VPNs to 802.1x , more of you are doing 802.1x. I don't see too many hands going up, a couple maybe. Okay first off remember that 802.1x is on the wired and wireless side. But what we've done is added a few things, we still have course the support here, a lot of these are in reference my slides are in reference to use of TLS for certificates and smartcards. But we added some support, some enhancements to 802.1x but if you were doing 802.1x in 10.4, it was a little cumbersome.

What I mean by a little cumbersome, if you wanted to do it you had to log in, right we added that capability right at 10.4.6, why am I having so much problems? So there is a Kbase article to help you, to help walk you through the steps you need to do to setup 802.1x authentication log in.

So why is that an issue? Well if you're trying to authenticate to the network and the user at the same time, it's a catch 22, right you need access to the network first before you can authenticate but you can't authenticate until you get to the network so you got this catch 22 situation, we did some what or a workaround there in 10.4.6, you had to do some exporting Kbase article will help walk you through that process.

But we did some enhancements to that within Leopard so within Leopard we also added EAP-FAST which is kind of a successor to LEAP here, kind of address some of the issues of kind of dictionary text and man in the middle pieces, so that's new with in Leopard, within 802.1x.

Now the other enhancement first if all you notice the window we're actually no longer in internet connect. In Leopard all of this configuration shifts over into your network interface configuration panels. Okay. In addition to that now with 802.1x we're not forcing you to go that sort of cumbersome method that you had in 10.4.6 of setting up 802.1x for login.

We actually now have three domains for authentication, we've got the login that is taking the same credentials for authenticating the user themselves and at the network and in addition to login if you don't, if you aren't authenticating that user log in you have the user domain, maybe for once your on a network your authenticating into another isolated area, isolated services and then you have a system domain, this is now where you are authenticating systems using 802.1x, also with certificates as well. Many folks have been talking to me about the need in their environment to do system level authentication and 802.1x with certificates.

So again all three you got, the login, the user and system domain authentication with 802.1x in Leopard, all done within the interfaces. So this is one reference that I was making to the some what simplicity approach that I am giving you with troubleshooting, with the remote access. Its some what of a hard guidance, we could be spending all day I think on some low level TCP dumps and we could bore many of you to tears.

But I think that particularly for first time admin's you are getting into this and you kind of want to keep this at a high level. The very first thing you should be looking at for instance within Internet Connect make sure you got verbose at a logging on, make sure you get as much information within the client itself, within the logs to determine where things may be failing.

Okay there's, the remote access gets a little bit complex with the various components that you have in place and it's hard to give you a simple cookie cutter approach of here's the five things you do and you've solved your problem. But start here with kind of verbose logging and the next thing is moving on into the PPP log right its going to give you information on establishment of that connection. Many folks have been able to diagnose where thing have failed, where they might have some configuration problems, simply by looking at the PPP logs.

Then if you really want to get down to the lower level, okay this is actually a successful session and I think in many areas of connectivity, networking and all kinds of area's the first thing that's best for you to be aware of or you to know is what does a good connection look like, right what should it look like cause if you don't know that when you are looking at a failed connection you're unsure of where things may have failed connection. You are unsure where things may have failed itself. And I'll quickly run through this, but this is really is an establishment of a layer two connection.

Here you're getting all the exchanges of, exchange back and forth with EAP-TLS. All those stars really represent your getting some encrypted content here. Your getting at the end exchange of a lot of your request, you look at the bottom and your getting the DNS, that's where your getting that DHCP over PPP request and then successful setting up of the local and the remote IP's, primary DNS, secondary DNS and you're a success you are in there, right.

If you know what it looks like when you have a successful connection, its better or its easier for you to understand where things maybe failing, each one of those components. And in conjunction with this, how do I do this again, I have many environments that are using cert-based so here's one that you are physically failing, the physical certificate wasn't available. I think I actually had removed my smartcard at this point to do this.

And we're doing an exchange and you see down about two thirds of the way EAP-TLS and we actually failed, we failed to authentication ourselves to the peer. So the peer, being between the client and the concentrator at this point, going on through all the way through to our authentication server.

So particularly in the 802.1x environment again as I kind of emphasized over and over in a lot of these areas is you got to know what's happening, who's requesting what to know where things fail. So in this kind of environment what are the exchanges that are going on between and typically again this is kind of standard environment with an 802.1x.

I'm getting this request to establish this EAP connection over LAN, EAP over L, EAP over LAN. I do that to start the authenticator. I get the request back from that authenticator, back to the supplicants, my client, my portable PowerBook, MacBook Pro. And I'm now doing the response of my identity that gets sent all the way over to the auth server. Right this is where that RADIUS request comes in, and all the way back through the authenticator back with a challenge, so I do the challenge response here with RADIUS.

I supply my credentials again the request on the auth side and I'm now successfully in. So if you understand those, the interplay between these components here again this is where a lot of folks can quickly identify if I have improperly configured my authenticator here, I'm going to be stopping or even failing to even start the session itself.

Extension of, folks have this question a lot and that is they have securID tokens and yet they want to use the Apple VPN server here and they wanted to know how to make that work, how to tie into the backend a server as well. I shared this with folks last year and it seemed to be quite helpful to those people.

So there is a knowledge base article on how to configure and unfortunately you have to kind of go under the hood of things and configure the VPN server, but you can do that authentication back to the RADIUS, not RADIUS the RSA ACE server sorry about that, directly from the Apple VPN.

Now I'm shifting away from standard VPN and 802.1x to another area that seems to be quite prevalent as a challenge with folks, even some folks earlier this morning were asking me about SSL VPN challenges they had. Well first of all why are folks using SSL VPNs? There's a lot of challenges for providing remote access to employees, to ultimate partner's maybe, maybe temporary, maybe the long term.

What are some of the reasons why there considering an SSL VPN kind of solution? Well first of all it doesn't require a client management, right you don't have to start loading software on each client, you don't on ours because the internet connects there but in this case you don't even have to change configurations. A client less architecture, your browser is already there. It doesn't require additional touch points systems actually pushing things out to each client.

The second point there is actually quite powerful though and that is largely the challenge that people have in shifting away from some of the other remote access type approaches is dealing with firewalls in remote offices or dealing with firewalls again in partners organizations or just remote sites. And so the SSL VPN solution helps them break through that challenge because now you aren't having to open up those additional ports since you probably can't even manage those, it's out of your control. Integrating with firewalls in this environment makes it quite a compelling solution. And the other thing with SSL VPN you can reduce the exposure down to particular services rather then opening up your full network.

So lets kind of look at this, its all going to look quite familiar to you, your just connecting from a browser to a server right, I'm doing a request to save my SSL VPN and now I'm doing my typical response and the challenges with certificates here. I finally do my sending of my certificate, my client side identity to the server, I get my authentication and now I have established my whole tunnel between my client and my server. Now all my interaction from my client is all going through that SSL tunnel to the server, right now I don't have to deal with additional ports. I don't have interaction with the rest of the network in my remote site.

But some of you have had some challenges with that. Some with so interaction most people have been deploying like Juniper SSL VPN solutions and they had some challenges with different versions of 10.4 and maintaining or actually initially establishing that connection. I wanted to run through some of this and explain what's happening both what you can do now and what is coming in Leopard that helps you address those particular kinds of problems. Okay so if got a single identity and your doing a connection to SSL VPN. Some of you have probably seen this slide several times now.

It's a typical exchange, OS X is going to pick that first valid certificate, send it off to the server, if you're challenged locally if it's stored in some protective container like smartcard you'd be challenged for the PIN during that exchange, the challenge response sent to the server, trust validation is either successful or failure and if its successful then you are granted access to your service, right.

If you have multiple identities now that same process is going to go through the step but you may potentially be rejected at the other end, so what happens is we talk about this ability to select an alternative certificate, alternative identity and once you select this you get a identity preference and this is kind of your work around too as some of the like Juniper SSL VPN issues that some folks have had.

Once there is an identity preference in your keychain, the next time Safari goes to that SSL VPN server its going to automatically look for and rely on that identity rather then just picking the first one, because a lot of you have had problems with which identity is being used because of the key usage you may have multiple identities that are valid associated with key usage.

So within Leopard we've done some enhancements here to give you the ability to manually creating those identities, this gives you the ability to set that identity up first and not getting in that catch 22 looping effec"t with connectivity to the server. This is one of the closer kinds of views to an identity preference, if you look physically in keychain on your builds and you want to look at your identities, your selection my certificates on the category area.

There's a contextual menu now, so get the contextual menu up and do new identity preference and you can now enter the URL to that SSL VPN, okay and select which certificate you want to use in this area. This is where if you were previously connecting to a Juniper SSL VPN switch, the system would be sending that first identity, first certificate and because the environment that most of the switches are in are windows based environment, what would happen is that Juniper switch would respond back to the browser with a page that says, basically tells the user please select the appropriate certificate.

And so you failed to actually be able to set one because Safari got back a page. Okay let's walk through that again. I use Safari, try to connect to the SSL VPN. The SSL VPN sends me back a web page that says you need to select your certificate.

It fails because Safari thinks things are successful because it got a successful response back with a page, what should of happened is that the SSL VPN box should actually have failed at the hands shake, the SSL hand shake level. Safari would have been notified up through our networking stack that, that identity was not accepted. Essentially it failed and then would have listed the sheet of all the additional certificates to select from.

So in Leopard what we have done is given you this additional capability of if you have solutions like that, that do not fail at the protocol level, they give you that page and tell you to manually select it, you now have the ability to over come that problem regardless of who's box it is, alright. This gives you a very workable solution in all those environments.

So here you're entering the URL, I'm selecting my certificate and again it adds it into the keychain. So if you've ever selected an identity or certificate in any one of those panels, if you look in your keychain you'll provably see a couple of these. In reference to websites or servers, so there is a lot of things that we can talk about on remote access.

Again like I had mentioned early on, we wanted to spend considerably more time in the Q&A area but with respect to customers that I have spoken to over the last several years, the predominate challenge has been connectivity to the Cisco 3000 line, that's been most prevalent use or in the SSL VPN side of the house, and hopefully I have walked you through some of this as a very high level.

Some of the capabilities that we have in the built-in services, hopefully you are still aware of some of the enhancements we've done, remember NAT traversal, DHCP over PPP, the groups, management and then with the transition as I kind of some what mentioned that and many of you clapped and that is the transitional way from internet connect to physically do all that configuration into the interface for each one of the network preferences itself.

And so what we want to do at this point is really kind of move into the kind of QA thing, the Q&A time and spend a little bit more in addressing some a little more esoteric, a little more interesting configurations that you may have and troubles that you've faced within connecting for remote access from an OS X client, and I think at this time I will ask Jason and Kristoff to join me.

Problem was I had my VPN server as my file server I think at one time and for whatever reason when it's doing some exchanges it seems to mess up the AFP server. I had to move, once I disabled the VPN and moved it off onto a separate box the AFP problems went away. And I was just wondering if that was anything that was known or anything?

Does the internet connect software in both Tiger and Leopard allow for that? I know they were thinking of using a product by a company called Apani to maybe pull that off but I don't know if these two pieces of software in conjunction in either of the OS builds allows for that so I just figured I'd ask a general question to see if I am even in the right place here.

The Apani within our customer base, they had the most success with that product line.

So that's umm.

Right you can actually change and you could force everything to go over your VPN by putting your VPN configuration at the highest configuration as well, in addition to checking the option in internet connect.

And in our case for admin's and some limited use people we actually allow full VPN connections but its all going through basically Safari, so I was wondering if there's any tips, tricks on.

And they're saying, okay, we need to do layer two, and everything fails and the problem is they just don't have ports open, so. That's good.

We have, there's several issues in the configurations get kind of tenuous at best. It'll work. We've gotten things to work, but there may be some complexities in your environment that may cause some other challenges. But, the scenario I showed you right here I fully in production and has been in production for like over a year going from a, from Internet Connect on 10.4 to a Cisco 3000, or 3060 Cisco concent`rator all the way to a windows IIS bound active directory yes. There's some of the key points and some of those slides where in a Cisco concentrator, you know how you have base groups. And probably most of you are just relying on the base group for all use coming in.

When you're creating these groups. When you're doing this you have to have the base group for layer two over IPSec as well. And that's typically not a common scenario. And if you have all your PC users coming in and they're all using the base group, first of all configure a new group for them.

Configure the base group for layer two. You're not using mode config because that's Cisco's method of passing back the configuration between the client and server. And within the Apple group your doing a lot of the configurations, we can switch back to slides, but you're doing a lot of the configurations specifically for the layer two over IPSec implementation as well.

So, you almost have to configure base group for the Apple guys as well or it'll fail.

Why do we have to spend more money for their product? And it seems to me, you know, nothing against what these guys are doing, but it seems like there needs to be a little more integration within the Apple VPN client number one. And number two; it would be helpful, I think, if Apple was evangelizing with some of these VPN device manufacturers, SonicWALL and Linksys come to mind, and saying look, you know, let's do something and not make this window centric and not make this impossible to use with a Mac and not make so many hoops to jump through to make it work.

Good point.

And I haven't been able to find that either in the Tiger. And if you have built it in the Leopard that would be great, so if the primary server fails it automatically goes to an unlimited list of backup servers.

The question is, is there just in Leopard the ability to populate one field with a list of backup servers without having to reconfigure a whole new settings, set of settings?

Before it would work occasionally, slightly, sort of but now it doesn't work at all. And there's issues with firewall rules and things like that that aren't present even in the Cisco version of the client itself. So, I'm trying to figure out how to, who to plug them into over at Apple to kind of help evangelize and reassure and.

- Rich: Rich Trodden, National Institutes of Health, our VPN access for the NI is just handle at a global level. I have a central IT group who keeps our Cisco VPN's set up pretty much as black box as possible. One feature that would help out a lot within integrating the remote access client built in the Mac OS X would be the ability to import Cisco profiles if that's possible at all. Because at this point we don't have the.

We don't have the group passwords or anything like that. We basically just get an installer package with two sets of profiles, we install it and it's pretty much a black box to us.

And I looked up in the document that's typed, the session the network services administration guide. And unfortunately there's none of this and what's on the slide in there. Where do we get that kind of guidance so we can share those with our IT peers?

Yeah, I wish it was all in there.

So that's definitely good feedback that Apple needs to improve that documentation. All the contents from this, of course you'll get all these slides accesses developer stuff. But if you need more than that information, more urgent method, again you can get in touch, let's talk afterwards.