Greetings Experts,
Wanted to determine if Anyconnect NAM 4.X (specifically 4.5) is PCI /DSS compatible and what version of TLS will anyconnct support in PCI DSS compliant network.
From the admin guide, I see the following:
"
The following features are FIPS-certified on Windows 7 or later, and any exceptions are listed:
-
ACS and ISE do not support Suite B, but FreeRADIUS 2.x with OpenSSL 1.x does. Microsoft NPS 2008 supports Suite B in part (the NPS certificate still has to be RSA).
-
802.1X/EAP supports the transitional Suite B profile only (as defined in RFC 5430). TLS 1.2 is not supported.
-
MACsec is FIPS-compliant.
-
Elliptic Curve Diffie-Hellman (ECDH) key exchange is supported.
-
ECDSA client certificates are supported.
-
ECDSA CA certificates in the OS store are supported.
-
ECDSA CA certificates in the network profile (PEM encoded) are supported.
-
Server’s ECDSA certificate chain verification is supported."
Reference: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect45/administration/guide/b_AnyConnect_Administrator_Guide_4-5/configure_nam.html?bookSearch=true#ID-1424-0000020d
The above document mention, "TLS 1.2 is not supported" in FIPS mode.
Now looking at ISE hardening guide, it mention that ISE 2.1+ supports TLS 1.2.
Would like to know, if anyconnect NAM is PCI /DSS supported and what version of TLS will be supported in PCI / DSS mode. Any documentation or list of Cipher suite supported by Anyconnect will be helpful.
Appreciate your time and assistance.
- Asif