cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
741
Views
5
Helpful
4
Replies

Anyconnect FIPS problem

DAVIES604
Level 1
Level 1

Hi All,

 

I am using Anyconnect client 4.6 and trying to use ECDSA certificates. I've enabled FIPS mode in the local policy, but the client will not select any ECDSA certs in the store, if I put an RSA cert in it will let me choose it. I'm not convinced that FIPS mode is working. The cisco docs mentioned registry keys that would be modified when FIPS is enabled but this doesn't seems to be the case. Have tried on multiple machines, win7 and 10.

If I use the browser to connect to the ASA clientless, it uses the ECDSA cert, so it seems to be a client issue.

 

Has anyone experienced this?

 

Any suggestions appreciated.

4 Replies 4

stsargen
Cisco Employee
Cisco Employee

AnyConnect currently only supports ECDSA Client certificates for IKEv2. SSL/TLS will be supported in the 4.7 release tentative for sometime in December 2018.

 

Are you testing this with IKEv2, or SSL?

Hi, many thanks for the reply. 

 

We are using SSL, and did at first think it was unsupported, but in the ‘Enable FIPS in the Local Policy’ chapter of the 4.6 guide, it’s been edited to add ‘Suite B cryptography is available for TLS/DTLS and IKEv2/IPsec VPN connections’ and the TLS/DTLS limitations section have been removed. I assumed this meant SSL was now supported in 4.6, Is this not the case then?

Hi, can I ask where you got the 4.7 info from?

Many thanks.

Hi,

I work for the AnyConnect escalation team so I have access to the release info.

Thanks,

Steve S.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: