Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
7
Release Notes for Cisco AnyConnect Secure Mobility Client 3.0.x for Android Mobile Devices
New Features in AnyConnect 3.0.09073
Requirements
•
FIPS and/or Suite B support is required on the secure gateway. Cisco provides Suite B capability on
the ASA version 9.0 and later, and FIPS capability on the ASA version 8.4.1 and later.
the ASA version 9.0 and later, and FIPS capability on the ASA version 8.4.1 and later.
•
An AnyConnect Premium license is required for FIPS or Suite B remote access connections to the
ASA.
ASA.
•
Android 4.0 (Ice Cream Sandwich) or later is required for Suite B cryptography; this is the minimum
Android version that supports ECDSA certificates used in Suite B.
Android version that supports ECDSA certificates used in Suite B.
•
VPN connections require server certificates that contain Key Usage attributes of Digital Signature
and Key Encipherment, as well as an Enhanced Key Usage attribute of Server Authentication, or
IKE Intermediate for IPsec. Server certificates not containing a Key Usage are considered invalid
for all Key Usages. Similarly, a server certificate not containing an Enhanced Key Usage is
considered invalid for all Enhanced Key Usages.
and Key Encipherment, as well as an Enhanced Key Usage attribute of Server Authentication, or
IKE Intermediate for IPsec. Server certificates not containing a Key Usage are considered invalid
for all Key Usages. Similarly, a server certificate not containing an Enhanced Key Usage is
considered invalid for all Enhanced Key Usages.
Guidelines and Limitations
•
Suite B is available only for IKEv2/IPsec.
•
A device that is running in FIPS mode is not compatible with using SCEP to provide mobile users
with digital certificates, proxy method or legacy method. Plan your deployment accordingly.
with digital certificates, proxy method or legacy method. Plan your deployment accordingly.
•
No EAP methods support SHA-2 except in TLS-based EAP when validating certificates signed
using SHA-2.
using SHA-2.
•
ECDSA certificates must have a Digest strength equal to or greater than the Curve strength. For
example, an EC-384 key must use SHA2-384 or greater.
example, an EC-384 key must use SHA2-384 or greater.
•
VPN connections perform name verification on server certificates. The following rules are applied
to name verification:
to name verification:
–
If a Subject Alternative Name extension is present with relevant attributes, name verification
uses only the Subject Alternative Name. Relevant attributes include DNS Name attributes for
all certificates and also include IP address attributes, if the connection is being performed to an
IP address.
uses only the Subject Alternative Name. Relevant attributes include DNS Name attributes for
all certificates and also include IP address attributes, if the connection is being performed to an
IP address.
–
If a Subject Alternative Name extension is not present, or is present but contains no relevant
attributes, name verification uses any Common Name attributes found in the Subject of the
certificate.
attributes, name verification uses any Common Name attributes found in the Subject of the
certificate.
–
If a certificate uses a wildcard for the purposes of name verification, the wildcard must be in the
first (left-most) subdomain only and must be the last (right-most) character in the subdomain.
Any wildcard entry not in compliance is ignored for the purposes of name verification.
first (left-most) subdomain only and must be the last (right-most) character in the subdomain.
Any wildcard entry not in compliance is ignored for the purposes of name verification.
Additional URI Handler Enhancements
The AnyConnect URI Handler simplifies AnyConnect setup and activities by servicing requests in the
form of Universal Resource Indicators (URIs). Administrators embed URIs as links on web pages or in
e-mail messages and then give users instructions to access them. The following enhancements have been
made to the URI Handler in AnyConnect 3.0:
form of Universal Resource Indicators (URIs). Administrators embed URIs as links on web pages or in
e-mail messages and then give users instructions to access them. The following enhancements have been
made to the URI Handler in AnyConnect 3.0:
•
Parameters have been added to the anyconnect:create command to create IPsec connection entries,
for example:
for example:
anyconnect
:create?name=Description&host=vpn.company.com&protocol=IPsec&authentication=
eap-md5&ike-identity=012A4F8B29A9BCD