06-23-2023 06:27 AM
All,
In our environment, we have a cisco 5506 (I know its old) but we are running Anyconnect and using Cisco DUO for MFA. Starting July 1st, DUO doesn't support TLS 1.0 & 1.1 protocols. The cisco ASA platform which we are using doesn't have DTLS1.2 capabilities, however, TLS1.2 can be run on the same and even anyconnect client are of version 4.9. So my question is can we configure anyconnect to use only TLS1.2 for few months (post which we will upgrade the device) ? If yes, should I need to change only the below configurations
conf t
SSL version-version tls1.2
SSL cipher TLS1.2 all
or should I need to do more changes (like XML or something)
Solved! Go to Solution.
06-23-2023 06:41 AM
@VijayBhargavR8067 yes you can configure TLS 1.2 only, those commands look correct, prefer high rather than all.
ssl server-version tlsv1.2
ssl cipher tlsv1.2 high << prefer high
Here is a guide to configure the TLS ciphers on the ASA https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/
06-23-2023 06:41 AM
@VijayBhargavR8067 yes you can configure TLS 1.2 only, those commands look correct, prefer high rather than all.
ssl server-version tlsv1.2
ssl cipher tlsv1.2 high << prefer high
Here is a guide to configure the TLS ciphers on the ASA https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/
06-23-2023 06:55 AM
Should we configure ssl client-version tlsv1.2 ?
06-23-2023 07:03 AM - edited 06-23-2023 07:12 AM
@VijayBhargavR8067 there is no harm in doing it, thats for when the ASA is acting as a client.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide