Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
Release Notes for Cisco AnyConnect Secure Mobility Client 3.0.x, for Apple iOS
New Features in AnyConnect 3.0.09097
When Block Untrusted Servers is OFF, a nonblocking Untrusted VPN Server notification alerts the user to this security
threat. The user can choose to:
threat. The user can choose to:
•
Cancel the connection and remain safe.
•
Continue the connection, but this is not recommended.
•
View Details of the certificate.
If the certificate that the user is viewing is valid but untrusted, the user can:
–
Import the server certificate into the AnyConnect certificate store for future use and continue the connection by
selecting Import and Continue. Once this certificate is imported into the AnyConnect store, subsequent connections
made to the server using this digital certificate are automatically accepted.
selecting Import and Continue. Once this certificate is imported into the AnyConnect store, subsequent connections
made to the server using this digital certificate are automatically accepted.
–
Go back to the previous screen and choose Cancel or Continue.
If the certificate is invalid, for any reason, the user can only return to the previous screen and choose Cancel or Continue.
Leaving the Block Untrusted Servers setting ON, having a valid, trusted server certificate configured on your secure gateway,
and instructing your mobile users to always choose Keep Me Safe is the safest configuration for VPN connectivity to your
network.
and instructing your mobile users to always choose Keep Me Safe is the safest configuration for VPN connectivity to your
network.
SCEP Proxy
Simple Certificate Enrollment Protocol (SCEP) Proxy provides secure deployment of device certificates from third-party
Certificate Authorities (CAs). It allows a mobile user to enroll with an internal CA without exposing the CA to external access.
Certificate Authorities (CAs). It allows a mobile user to enroll with an internal CA without exposing the CA to external access.
With AnyConnect 3.0, an ASA 9.0 or later acts as a proxy for SCEP requests and responses that flow between the AnyConnect
mobile device and the internal CA. Mobile devices rely on the ASA to know the identity of the CA, and do not access them
directly. The received certificate is used to automatically connect after being imported into the AnyConnect certficiate store on
the mobile device.
mobile device and the internal CA. Mobile devices rely on the ASA to know the identity of the CA, and do not access them
directly. The received certificate is used to automatically connect after being imported into the AnyConnect certficiate store on
the mobile device.
For more information, see
section in the Cisco AnyConnect Secure Mobility
Client Administrator Guide, Release 3.0 manual.
Guidelines and Limitations
•
Depending on network characteristics, SCEP proxy activity can take more than a few seconds. The user receives a message
when the certificate has been received by the AnyConnect client.
when the certificate has been received by the AnyConnect client.
•
Using SCEP for certificate enrollment, proxy method or legacy method, is not compatible with mobile devices running in
FIPS mode. Plan your deployment accordingly.
FIPS mode. Plan your deployment accordingly.
Trusted Network Detection
Apple has introduced a Trusted Network Detection (TND) enhancement to the Connect On Demand feature in iOS 6. This
enhancement:
enhancement:
•
Extends the Connect on Demand functionality by determining whether the user is on a trusted network.
•
Applies to Wi-Fi connectivity only. When operating over other types of network connections, Connect on Demand does
not use TND to determine whether a VPN should be connected.
not use TND to determine whether a VPN should be connected.
•
Is not a separate feature and cannot be configured or used outside of the Connect on Demand capabilities.
Contact Apple for more information about Connect on Demand Trusted Network Detection in iOS 6.