Solved: FIPS. Can you configure a FIPS compliant ASA to reject any non-F

doylepaul · ‎09-19-2013

Hi guy's, is there any way to automagically refuse any Anyconnect connections to a FIPS compliant ASA if the Anyconnect client is non-FIPS compliant?

Any help, thoughts or ideas are greatly appreciated as I can't seem to find anything to suggest you can.

Kind regards

Paul.

npokhriy · ‎09-19-2013

Hi Paul,

By default, the ASA specifies the non-FIPS-compliant RC4-SHA1 for the connection. To be FIPS-compliant, you must ensure a FIPS-compliant cipher is the first one specified in the list of SSL encryptions. Otherwise, the DTLS connection fails. Furthermore, we recommend you remove all non-FIPS ciphers from the list to ensure the connection failure doesn't occur.

In ASDM, go to Configuration > Remote Access VPN > Advanced > SSL Settings to specify the SSL encryption types. In the Encryption area, move a FIPS-compliant cipher to the top position in the list.

If you are using CLI, use the ssl encryption command from global configuration mode to order the list.

Regards,

Naresh

View solution in original post

npokhriy · ‎09-19-2013

You enable FIPS compliance for the core AnyConnect Security Mobility Client in the local policy file on the user computer. This file is an XML file containing security settings, and is not deployed by the ASA. The file must be installed manually or deployed to a user computer using an enterprise software deployment system. You must purchase a FIPS license for the ASA the client connects to.

AnyConnect Local Policy parameters reside in the XML file AnyConnectLocalPolicy.xml. This file is not deployed by the ASA. You must deploy this file using corporate software deployment systems or change the file manually on a user computer.

You can get more information from following link:-

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/release/notes/anyconnect24rn.html#wp1028083

HTH!!

Regards,

Naresh

doylepaul · ‎09-19-2013

Hi Naresh, thanks for your speedy reply :-)

My problem is that there are potentially hundreds and hundreds of remote users using Anyconnect. So if I enable FIPS on my ASA, how do I know that all the hundreds and hundreds of users are acutally using FIPS compliant Anyconnect?

It is feasible that a corporate wide group MST deployment could miss out mlitple laptops. These laptops would still be running non-FIPS Anyconnect.

I would like the ASA to be able to reject these non-FIPS Anyconnect connection's until they have a FIPS compliant version of Anyconnect. Is this possible?

I hope this makes sense :-)

Regards

Paul.

npokhriy · ‎09-19-2013

Hi Paul,

By default, the ASA specifies the non-FIPS-compliant RC4-SHA1 for the connection. To be FIPS-compliant, you must ensure a FIPS-compliant cipher is the first one specified in the list of SSL encryptions. Otherwise, the DTLS connection fails. Furthermore, we recommend you remove all non-FIPS ciphers from the list to ensure the connection failure doesn't occur.

In ASDM, go to Configuration > Remote Access VPN > Advanced > SSL Settings to specify the SSL encryption types. In the Encryption area, move a FIPS-compliant cipher to the top position in the list.

If you are using CLI, use the ssl encryption command from global configuration mode to order the list.

Regards,

Naresh

doylepaul · ‎09-20-2013

Hi Naresh, thanks for your informative replies, they have been very helpful

Cheers.

Paul

FIPS. Can you configure a FIPS compliant ASA to reject any non-FIPS Anyconnect connections