Cisco Cisco AnyConnect Secure Mobility Client v4.x Release Notes
OpenSSL Cipher Suites Changes
Because the OpenSSL standards development team marked some cipher suites as compromised, we no long support them beyond
AnyConnect 3.1.05187. The unsupported cipher suites include the following: DES-CBC-SHA, RC4-SHA, and RC4-MD5.
AnyConnect 3.1.05187. The unsupported cipher suites include the following: DES-CBC-SHA, RC4-SHA, and RC4-MD5.
Likewise, our crypto toolkit has discontinued support for RC4 ciphers; therefore, our support for them will be dropped with releases
3.1.13011 and 4.2.01035 and beyond.
3.1.13011 and 4.2.01035 and beyond.
Network Visibility Module Incompatible with LittleSnitch Firewall
The Network Visibility Module is incompatible with LittleSnitch firewall on Mac OS X.
AnyConnect Support on Mac OS X El Capitan 10.11
The Cisco AnyConnect Secure Mobility Client is supported on the Mac OS X El Capitan 10.11 operating system.
Using Log Trace in ISE Posture
After a fresh installation, you see ISE posture log trace messages as expected. However, if you go into the ISE Posture Profile Editor
and change the Enable Agent Log Trace file to 0 (disable), you must do an AnyConnect service restart to get expected results.
and change the Enable Agent Log Trace file to 0 (disable), you must do an AnyConnect service restart to get expected results.
Interoperability With ISE Posture on Mac
If you are using Mac OS X 10.9 or later and want to use ISE posture, you may need to do the following to avoid issues:
• Turn off certificate validation to avoid a "failed to contact policy server" error during posture assessment.
• Disable the captive portal application; otherwise, discovery probes are blocked, and the application remains in pre-posture ACL
state.
CRL is Not Supported for Server Certificate Verification
Many sites position the Certificate Authority they use to validate server certificates inside the corporate network. That means that a
client cannot verify CRL when it is trying to connect to a headend, since the CRL is not accessible on the public network. The client
operating system can be configured to verify CRL in Windows and Mac OS X, but we ignore that setting.
client cannot verify CRL when it is trying to connect to a headend, since the CRL is not accessible on the public network. The client
operating system can be configured to verify CRL in Windows and Mac OS X, but we ignore that setting.
Firefox Certificate Store on Mac OS X is Not Supported
The Firefox certificate store on Mac OS X is stored with permissions that allow any user to alter the contents of the store, which
allows unauthorized users or processes to add an illegitimate CA into the trusted root store. Anyconnect no longer utilizes the Firefox
store for either server validation or client certificates.
allows unauthorized users or processes to add an illegitimate CA into the trusted root store. Anyconnect no longer utilizes the Firefox
store for either server validation or client certificates.
If necessary, instruct your users how to export your AnyConnect certificates from their Firefox certificate stores, and how to import
them into the Mac OS X keychain. The following steps are an example of what you may want to tell your AnyConnect users.
them into the Mac OS X keychain. The following steps are an example of what you may want to tell your AnyConnect users.
1
Navigate to Firefox > Preferences > Advanced, Certificates tab, click View Certificates.
2
Select the Certificate used for AnyConnect, and click Export.
17