Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
Cisco has validated that AnyConnect 4.3 and 4.4 (and beyond) releases will continue to operate correctly
as Microsoft further phases out SHA-1. Long term, Microsoft intends to distrust SHA-1 throughout Windws
in all contexts, but their current advisory does not provide any specifics or timing on this. Depending on
the exact date of that deprecation, many earlier versions of AnyConnect may no longer operate at any
time. Refer to
as Microsoft further phases out SHA-1. Long term, Microsoft intends to distrust SHA-1 throughout Windws
in all contexts, but their current advisory does not provide any specifics or timing on this. Depending on
the exact date of that deprecation, many earlier versions of AnyConnect may no longer operate at any
time. Refer to
for further information.
Note
Authentication Failure When Using a SHA512 Certificate for Authentication
(For Windows 7, 8, and 8.1 users) When the client uses a SHA512 certificate for authentication, authentication fails, even though
the client logs show that the certificate is being used. The ASA logs correctly show that no certificate was sent by AnyConnect. These
versions of Windows require that you enable support for SHA512 certificates in TLS 1.2, which is not supported by default. Refer
to
the client logs show that the certificate is being used. The ASA logs correctly show that no certificate was sent by AnyConnect. These
versions of Windows require that you enable support for SHA512 certificates in TLS 1.2, which is not supported by default. Refer
to
for information on enabling support for these SHA512 certificates.
No Longer Supporting RC4 TLS Cipher Suite
RC4 TLS cipher suites are not supported from AnyConnect release 4.2.01035 and onwards due to security policy enhancements.
OpenSSL Cipher Suites Changes
Because the OpenSSL standards development team marked some cipher suites as compromised, we no long support them beyond
AnyConnect 3.1.05187. The unsupported cipher suites include the following: DES-CBC-SHA, RC4-SHA, and RC4-MD5.
AnyConnect 3.1.05187. The unsupported cipher suites include the following: DES-CBC-SHA, RC4-SHA, and RC4-MD5.
Likewise, our crypto toolkit has discontinued support for RC4 ciphers; therefore, our support for them will be dropped with releases
3.1.13011 and 4.2.01035 and beyond.
3.1.13011 and 4.2.01035 and beyond.
Network Visibility Module Incompatible with LittleSnitch Firewall
The Network Visibility Module is incompatible with LittleSnitch firewall on Mac OS X.
AnyConnect Support on Mac OS X El Capitan 10.11
The Cisco AnyConnect Secure Mobility Client is supported on the Mac OS X El Capitan 10.11 operating system.
Using Log Trace in ISE Posture
After a fresh installation, you see ISE posture log trace messages as expected. However, if you go into the ISE Posture Profile Editor
and change the Enable Agent Log Trace file to 0 (disable), you must do an AnyConnect service restart to get expected results.
and change the Enable Agent Log Trace file to 0 (disable), you must do an AnyConnect service restart to get expected results.
Interoperability With ISE Posture on Mac
If you are using Mac OS X 10.9 or later and want to use ISE posture, you may need to do the following to avoid issues:
• Turn off certificate validation to avoid a "failed to contact policy server" error during posture assessment.
• Disable the captive portal application; otherwise, discovery probes are blocked, and the application remains in pre-posture ACL
state.
15