Greetings Experts,
Wanted to determine if Anyconnect NAM 4.X (specifically 4.5) is PCI /DSS compatible and what version of TLS will anyconnct support in PCI DSS compliant network.
From the admin guide, I see the following:
"
The following features are FIPS-certified on Windows 7 or later, and any exceptions are listed:
ACS and ISE do not support Suite B, but FreeRADIUS 2.x with OpenSSL 1.x does. Microsoft NPS 2008 supports Suite B in part (the NPS certificate still has to be RSA).
802.1X/EAP supports the transitional Suite B profile only (as defined in RFC 5430). TLS 1.2 is not supported.
MACsec is FIPS-compliant.
Elliptic Curve Diffie-Hellman (ECDH) key exchange is supported.
ECDSA client certificates are supported.
ECDSA CA certificates in the OS store are supported.
ECDSA CA certificates in the network profile (PEM encoded) are supported.
Server’s ECDSA certificate chain verification is supported."
Reference: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/administration/guide/b_AnyConnect_Administrator_Guide_4-5/configure_nam.html?bookSearch=true#ID-1424-0000020d
The above document mention, "TLS 1.2 is not supported" in FIPS mode.
Now looking at ISE hardening guide, it mention that ISE 2.1+ supports TLS 1.2.
Would like to know, if anyconnect NAM is PCI /DSS supported and what version of TLS will be supported in PCI / DSS mode. Any documentation or list of Cipher suite supported by Anyconnect will be helpful.
Appreciate your time and assistance.
- Asif
... View more
