Cisco Blogs


Cisco Blog > Collaboration

Mac’s Coming to an Enterprise Near You

Post by M. Michael Acosta, Manager, EngineeringMac users everywhere are eagerly anticipating the upcoming Macworld Expo. As a prelude, this week Macworld.com published their set of predictions for 2008. One prediction in particular resonated with what I’m seeing at some of our customers and within Cisco. MacWorld senior editor Dan Frakes wrote:”A new Mac market: The debut of Leopard, along with a general dissatisfaction with Windows Vista, will open doors for the Mac in the enterprise market. In fact, we’ll see a few major U.S. companies switch to the Mac platform-some gradually, but at least a couple in a major public migration. We’ll also see a resurgence of the Mac platform in higher education.”Just a few years ago within Cisco, Macs were conspicuous mostly in their absence. Today, it is not unusual to find an increasing number of Apple logos across from me in meetings. For the first time in quite a while, Macs are again an orderable laptop option for Cisco employees.Given this, it should come as no surprise that Cisco has invested significantly in supporting the Mac in the enterprise with our products. Cisco Unified Personal Communicator, our next-generation unified communications client, was developed in parallel on both Mac and Windows. It is a fully native Mac application with a user-interface developed specifically for the platform. By the time Steve Jobs takes that stage to introduce the next insanely great Apple product, news of the release of the latest version of Personal Communicator should have hit the wires bringing full localization on both platforms and support for Leopard.Cisco also offers SSL and IPSec VPN clients for the Mac OS, as well as our MeetingPlace and WebEx web conferencing solutions. And, much to the delight of Cisco’s own Mac users, Apple has also made support for EAP-FAST a native part of OS X.These successes are valuable to Apple as a way to reinforce the use of Macs in the enterprise, but they also help Cisco by tangibly validating our cross-platform philosophy. Even if a customer has no Macs today, or the Macs are currently only in the”creative” department, it looks like there’s an increasing chance that Mac use will grow in the future. Just the possibility means that Mac support is more likely to be an important part of our customer’s needs. Much more broadly, it is in all our interests to encourage innovative and exciting devices and applications. Healthy competition is great for that. I look forward to enabling all users to communicate as richly and naturally as face-to-face -regardless of their choice of operating system, device, or platform.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

16 Comments.


  1. Pete Davis

    Hi Mark,I should have added that Cisco supports the embedded L2TP/IPsec client on Leopard very similarly to the iPhone. The Cisco ASA documentation should include information on how to set this up via some of the referenced links.Best Regards,-Pete

       0 likes

  2. Pete Davis

    Hi Mark,The short answer is that both options are possible. While some information on this is available in the ASA Users Guide, Jamey Heary of Cisco posted information on this topic in a blog at Network World in December:http://www.networkworld.com/community/node/23023Cisco VPN gateways support the iPhoneSubmitted by jheary on Thu, 12/13/2007 – 3:55pm.So you have your shiny cool new iPhone. You’re addicted to their very cool web browser. Now you want to be able to surf to your internal home or corporate networks using VPN right? The embedded iPhone VPN client works over both Wi-Fi and EDGE network connections. Good news, both the Cisco IOS routers and the ASA appliance support this. In fact, they’ve supported it all along. Here are some of the geeky details and how to set it up.The iPhone vpn client uses L2TP/IPSEC. This is the same VPN protocol that the MacOS and Windows XP native vpn clients use. For those not familiar with L2TP/IPSEC, just think of it as an alternative to using native IPSEC. The Cisco routers and firewalls (ASA) have included support for L2TP/IPSEC for a number of years now. Apple, in its infinite wisdom, has made the iPhone L2TP/IPSEC vpn client almost identical to the one on its MacOS. As a result, Cisco VPN gateways support it.However, the iPhone L2TP/IPSEC vpn client does have some limitations. It is not as full featured as the vpn client that is on the MacOS. Here are the officially supported features from Apple that you’ll need to know when configuring your VPN gateway to handle the iPhone. * IKE phase 1—3DES encryption with SHA1 hash method. (no md5 support) * IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method. * PPP Authentication—MSCHAPv2 (officially) but PAP, MS-CHAPv1 also worked in testing. * Pre-shared key (no certificate support).So how do you configure this on a Cisco ASA firewall? Well, here is a sample configuration using the CLI. If you use ASDM (the GUI) then you can run through the wizard and enable the features the iPhone requires. Also, the Cisco ASA config guide has a partial CLI example found herehttp://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219ip local pool CLIENT-POOL 10.1.99.128-10.1.99.141 mask 255.255.255.240crypto ipsec transform-set iPhone esp-3des esp-sha-hmaccrypto ipsec transform-set iPhone mode transportcrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set iPhonecrypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidegroup-policy iPhone internalgroup-policy iPhone attributesvpn-tunnel-protocol l2tp-ipsecaddress-pools value CLIENT-POOLtunnel-group iPhone type remote-accesstunnel-group iPhone general-attributesdefault-group-policy iPhoneauthentication-server-group denlab-RADIUStunnel-group iPhone ipsec-attributespre-shared-key testtunnel-group iPhone ppp-attributesauthentication ms-chap-v2crypto isakmp enable outsidecrypto isakmp policy 5authentication pre-shareencryption 3deshash shagroup 2lifetime 86400crypto isakmp nat-traversal 20To those of you familiar with the ASA vpn CLI commands, you’ll notice that this config is nothing special. It is the same config you’ve used to setup any L2TP/IPSEC tunnels in the past. Basically, supporting the iPhone doesn’t change things. You just need to ensure that you are allowing the protocols/options that iPhone supports.To check to see if the iPhone user is connected you can use the commandshow vpn-sessiondb detail remote filter protocol L2TPOverIPSec orshow vpn-sessiondb detail remote filter protocol L2TPOverIPSecOverNAtTThese show commands gives you just the L2TP/IPSEC clients that are connected. The second show command shows you any clients that are using nat traversal (meaning they are behind a PAT device somewhere).For information on how to configure the Apple iPhone side of things see here http://docs.info.apple.com/article.html?artnum=305827 or here http://docs.info.apple.com/article.html?artnum=305723 .For information on how to configure L2TP/IPSEC on an IOS VPN router see here http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804dfa69.htmlAnyone have this setup at your site? Anyone have another iPhone I can have for “”testing”" purposes.The opinions and information presented here are my personal views not those of my employer.”

       0 likes

  3. Do we have to use Cisco’s VPN Client on our Macs (running Leopard) or can we use/configure Apples Network/VPN connection?

       0 likes

  4. Thats great news. When will Cisco’s VPN client support Leopard OS X 10.5?

       0 likes

  5. Pete Davis

    Cisco AnyConnect VPN Client Release 2.1 and the Cisco VPN Client 4.9.01.0100 and greater both provide support for Mac OS X 10.5 / Leopard.

       0 likes

  6. By the time Steve Jobs takes that stage to introduce the next insanely great Apple product…”"”"Even if a customer has no Macs today, or the Macs are currently only in the ‘creative’ department, it looks like there’s an increasing chance that Mac use will grow in the future.”"I thought your comments came across a little bit insincere, condescending and maybe narrow-minded. While it’s true that there is an “”insane”" amount of hype surrounding a lot of Mac products, there is no need to patronize someone who makes people excited about his products. And then your jibe about “”creative”" departments, that seems a little dismissive too as if to say there are us and then there are “”those”" people. If you have time and an open mind, it might be worth checking out the insanely great thing the other people in the board room and the “”creative”" department are using. And even if this doesn’t pass moderation, I think it’s good that you’ve read this far.”

       0 likes

  7. Wow, I was just happy to see Cisco being more open (i.e., an article that one doesn’t have to obtain through a VAR) about Mac support — I was really happy to see this and quite surprised to see a knee-jerk comment below the article; I understand where all that pent-up angst comes from (I’ve made my living standing firm between IT departments and professional designers, audio/video technicians, artists, journalists, and other ‘creative types’); but from most vantage points, the platform wars are over — just pick the best tool for the job, and everyone is happy.The fact that Cisco is reaching across the aisle to MacOS users is a side-effect, I believe, of their willingness to look at Linux on the back end (and look how much great technology has grown out of that since then).Having been among thousands of ‘MacEvanglists’ over the last couple of decades, I can attest to the emotional attachment people can have to technology that works well. I’m sure that among Cisco’s ranks, there are evangelists with equal fervor who are eager to spread the ‘Truth’. I look forward to becoming immersed.But as we who take technology so personally interact with other people who may not, and other technologies that were not designed with our favorite toy/tech as it’s highest priority, we must take a moment to realize our efforts can be hindered by our own bubbling zeal — when all the audience perceives is a minority wallowing in victimhood. Here in the United States, we are experts at that dynamic; so claiming righteousness indignation can no longer be blamed on ignorance — but simply bad sportsmanship.Welcome, Cisco, to the Mac platform — we’re glad to share the market; both ‘churched’ and ‘unchurched’.

       0 likes

  8. The Network World article may be incorrect. I just finished reading the following Cisco paper which states:Cisco ASA 5500 Security Appliances and PIX Firewalls. We highly recommend the latest 8.0.x software release (or greater), but you can also use 7.2.x software. Neither Cisco IOS VPN routers nor the VPN 3000 Series Concentrators support the iPhone VPN capabilities.”"Link:http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/iPhone/2.0/connectivity/guide/iphone.html

       0 likes

  9. I am also very anxious about this new theme. Like all the other users, this is my biggest dream at this moment. I am sure that in no time we will get what we are expecting so much right now.

       0 likes

  10. Cisco vpn gateways support the iPhone”

       0 likes

  11. Does Cisco VPN Client 4.9.01 support Snow Leopard? If so how can we download the plug-in?

       0 likes

  12. I too am having the same error message since upgrading to Snow Leopard.Error 51: Unable to communicate with the VPN Subsystem.”"I have been unable to find anything to determine if there is an update or fix for this issue. Is there an update coming? If so, how soon?”

       0 likes

  13. in this site http://snowleopard.wikidot.com/ there are compatibility list.Cisco VPN Client 4.9 0180 work is true?

       0 likes

  14. I had Error 51 on Snow Leopard. I installed Cisco VPN Client 4.9.0100. It works now. I think there are later versions that should also work.The key is to reinstall or upgrade the client. The problem on Snow Leopard is fixed during installation.

       0 likes

  15. Hi , I’m using Cisco unified personal communicator on my mac. After upgrade to Snow Leopard it’s not working. Is there any update about to fix it ?

       0 likes

  16. I upgraded from Leopard to Snow Leopard on my Macbook and my Cisco VPN client stopped working. It says I need at least one network interface”", which I clearly have or I could not leave this comment. I tried rebooting. No luck. It says:Error 51: Unable to communicate with the VPN Subsystem.I notice in the download section there is only mention of Mac OS 10.1. That is very old. Snow Leopard is 10.6. Does Cisco plan to support Mac?”

       0 likes