Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3090
Views
10
Helpful
4
Replies

FIPS. Can you configure a FIPS compliant ASA to reject any non-FIPS Anyconnect connections

Go to solution
doylepaul
Level 1
Level 1

‎09-19-2013 02:07 AM - edited ‎02-21-2020 07:10 PM

Hi guy's, is there any way to automagically refuse any Anyconnect connections to a FIPS compliant ASA if the Anyconnect client is non-FIPS compliant?

Any help, thoughts or ideas are greatly appreciated as I can't seem to find anything to suggest you can.   

Kind regards

Paul.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
npokhriy
Level 1
Level 1
In response to doylepaul

‎09-19-2013 11:59 AM

Hi Paul,

By default, the ASA specifies the non-FIPS-compliant RC4-SHA1 for the connection. To be FIPS-compliant, you  must ensure a FIPS-compliant cipher is the first one specified in the list of  SSL encryptions. Otherwise, the DTLS connection fails. Furthermore, we recommend  you remove all non-FIPS ciphers from the list to ensure the connection failure  doesn't occur.

In ASDM, go to  Configuration > Remote  Access VPN > Advanced  > SSL Settings to specify the SSL encryption types. In the Encryption  area, move a FIPS-compliant cipher to the top position in the  list.

If you are using CLI, use the  ssl encryption command from global configuration mode to order the  list.

Regards,

Naresh

View solution in original post

4 Replies 4

Go to solution
npokhriy
Level 1
Level 1

‎09-19-2013 04:10 AM

You enable FIPS compliance for the core AnyConnect Security Mobility  Client in the local policy file on the user computer. This file is an  XML file containing security settings, and is not deployed by the ASA.  The file must be installed manually or deployed to a user computer using  an enterprise software deployment system. You must purchase a FIPS  license for the ASA the client connects to.

AnyConnect Local Policy parameters reside in the XML file AnyConnectLocalPolicy.xml.  This file is not deployed by the ASA. You must deploy this file using  corporate software deployment systems or change the file manually on a  user computer.

You can get more information from following link:-

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/anyconnect24rn.html#wp1028083

HTH!!

Regards,

Naresh

Go to solution
doylepaul
Level 1
Level 1
In response to npokhriy

‎09-19-2013 04:38 AM

Hi Naresh, thanks for your speedy reply :-)

My problem is that there are potentially hundreds and hundreds of remote users using Anyconnect. So if I enable FIPS on my ASA, how do I know that all the hundreds and hundreds of users are acutally using FIPS compliant Anyconnect?

It is feasible that a corporate wide group MST deployment could miss out mlitple laptops. These laptops would still be running non-FIPS Anyconnect.

I would like the ASA to be able to reject these non-FIPS Anyconnect connection's until they have a FIPS compliant version of Anyconnect. Is this possible?

I hope this makes sense :-)

Regards

Paul.

0 Helpful

Go to solution
npokhriy
Level 1
Level 1
In response to doylepaul

‎09-19-2013 11:59 AM

Hi Paul,

By default, the ASA specifies the non-FIPS-compliant RC4-SHA1 for the connection. To be FIPS-compliant, you  must ensure a FIPS-compliant cipher is the first one specified in the list of  SSL encryptions. Otherwise, the DTLS connection fails. Furthermore, we recommend  you remove all non-FIPS ciphers from the list to ensure the connection failure  doesn't occur.

In ASDM, go to  Configuration > Remote  Access VPN > Advanced  > SSL Settings to specify the SSL encryption types. In the Encryption  area, move a FIPS-compliant cipher to the top position in the  list.

If you are using CLI, use the  ssl encryption command from global configuration mode to order the  list.

Regards,

Naresh

Go to solution
doylepaul
Level 1
Level 1
In response to npokhriy

‎09-20-2013 02:48 AM

Hi Naresh, thanks for your informative replies, they have been very helpful

Cheers.

Paul

0 Helpful
Customers Also Viewed These Support Documents