Anyconnect FIPS problem

DAVIES604 · ‎11-28-2018

Hi All,

I am using Anyconnect client 4.6 and trying to use ECDSA certificates. I've enabled FIPS mode in the local policy, but the client will not select any ECDSA certs in the store, if I put an RSA cert in it will let me choose it. I'm not convinced that FIPS mode is working. The cisco docs mentioned registry keys that would be modified when FIPS is enabled but this doesn't seems to be the case. Have tried on multiple machines, win7 and 10.

If I use the browser to connect to the ASA clientless, it uses the ECDSA cert, so it seems to be a client issue.

Has anyone experienced this?

Any suggestions appreciated.

stsargen · ‎11-28-2018

AnyConnect currently only supports ECDSA Client certificates for IKEv2. SSL/TLS will be supported in the 4.7 release tentative for sometime in December 2018.

Are you testing this with IKEv2, or SSL?

DAVIES604 · ‎11-28-2018

Hi, many thanks for the reply.

We are using SSL, and did at first think it was unsupported, but in the ‘Enable FIPS in the Local Policy’ chapter of the 4.6 guide, it’s been edited to add ‘Suite B cryptography is available for TLS/DTLS and IKEv2/IPsec VPN connections’ and the TLS/DTLS limitations section have been removed. I assumed this meant SSL was now supported in 4.6, Is this not the case then?

DAVIES604 · ‎11-28-2018

Hi, can I ask where you got the 4.7 info from?

Many thanks.

stsargen · ‎11-29-2018

Hi,

I work for the AnyConnect escalation team so I have access to the release info.

Thanks,

Steve S.