Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 2.5
Enabling FIPS and Additional Security in the Local Policy
Downloads: This chapterpdf (PDF - 132.0KB) The complete bookPDF (PDF - 5.12MB) | Feedback

Enabling FIPS and Additional Security in the Local Policy

Table Of Contents

Enabling FIPS and Additional Security in the Local Policy

Enabling FIPS for Windows Clients using our MST File

Enabling FIPS and other Local Policy Parameters with your own MST File

Enabling FIPS and Other Parameters with our Enable FIPS Tool

Changing Local Policy Parameters Manually in the Local Policy

AnyConnect Local Policy Parameters and Values

Local Policy File Example


Enabling FIPS and Additional Security in the Local Policy


The AnyConnect Local Policy specifies additional security parameters for the Cisco AnyConnect Secure Mobility client, including operating in a mode compliant with Level 1 of the Federal Information Processing Standard (FIPS), 140-2, a U.S. government standard for specific security requirements for cryptographic modules. The FIPS 140-2 standard applies to all federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems. The FIPS feature is licensed for the ASA on a per-model basis.

Other parameters in the AnyConnect Local Policy increase security by forbidding remote updates to prevent Man-in-the-Middle attacks and by preventing non-administrator or non-root users from modifying client settings.

AnyConnect Local Policy parameters reside in the XML file AnyConnectLocalPolicy.xml. This file is not deployed by the ASA. You must deploy this file using corporate software deployment systems or change the file manually on a user computer.

For Windows, we provide a Microsoft Transform (MST) file that you can apply to the standard MST installation file to enable FIPS. The MST does not change other AnyConnect Local Policy parameters. You can also use our Enable FIPS tool, a command line tool that runs on Windows using administrator privileges or as a root user for Linux and Mac. When you purchase a FIPS license, you receive information about our MST or the Enable FIPS tool and where you can download these tools.

Alternatively, you can obtain a copy of the AnyConnect Local Policy file from a client installation, manually edit the parameters, and deploy it to user computers using enterprise software deployment.

This section covers the following topics:

Enabling FIPS for Windows Clients using our MST File

Enabling FIPS and other Local Policy Parameters with your own MST File

Enabling FIPS and Other Parameters with our Enable FIPS Tool

Changing Local Policy Parameters Manually in the Local Policy

AnyConnect Local Policy Parameters and Values

Enabling FIPS for Windows Clients using our MST File

For Windows installations, you can apply the MST file we provide to the standard MSI installation file to enable FIPS in the AnyConnect Local Policy. The MST only enables FIPS and does not change other parameters. The installation generates an AnyConnect Local Policy file with FIPS enabled.

For information about where you can download our MST, see the licensing information you received for the FIPS client.

Enabling FIPS and other Local Policy Parameters with your own MST File

You can create your own MST file to change any local policy parameters. Create your own MST file using the following parameters. The names correspond to the parameters in AnyConnect Local Policy file (AnyConnectLocalPolicy.xml). See Table 4-3 for the descriptions and values you can set for these parameters:

LOCAL_POLICY_BYPASS_DOWNLOADER

LOCAL_POLICY_FIPS_MODE

LOCAL_POLICY_RESTRICT_PREFERENCE_CACHING

LOCAL_POLICY_RESTRICT_TUNNEL_PROTOCOLS

LOCAL_POLICY_RESTRICT_WEB_LAUNCH

LOCAL_POLICY_STRICT_CERTIFICATE_TRUST


Note AnyConnect installation does not automatically overwrite an existing local policy file on the user computer. You must delete the existing policy file on user computers first, then the client installer can create the new policy file.


Enabling FIPS and Other Parameters with our Enable FIPS Tool

For all operating systems, you can use our Enable FIPS tool to create an AnyConnect Local Policy file with FIPS enabled. The Enable FIPS tools is a command line tool that runs on Windows using administrator privileges or as a root user for Linux and Mac.

For information about where you can download the Enable FIPS tool, see the licensing information you received for the FIPS client.

Table 4-1 shows the policy settings you can specify and the arguments and syntax to use. The behavior for the argument values is the same behavior specified for the parameters in the AnyConnect Local Policy file in Table 4-3.

You run the Enable FIPS tool by entering the command EnableFIPS <arguments> from the command line of the computer. The following usage notes apply to the Enable FIPS tool:

If you do not supply any arguments, the tool enables FIPS and restarts the vpnagent service (Windows) or the vpnagent daemon (Mac and Linux).

Separate multiple arguments with spaces.

The following example shows the Enable FIPS tool command, run on a Windows computer:

EnableFIPS rwl=false sct=true bd=true fm=false
 
   

The next example shows the command, run on a Linux or Mac computer:

./EnableFIPS rwl=false sct=true bd=true fm=false
 
   

Table 4-1 shows the policy settings and the arguments for the Enable FIPS tool.

Table 4-1 Policy Settings and Arguments for the Enable FIPS Tool

Policy Setting
Argument and Syntax

FIPS mode

fm=[true | false]

Bypass downloader

bd=[true | false]

Restrict weblaunch

rwl=[true | false]

Strict certificate trust

sct=[true | false]

Restrict preferences caching

rpc=[Credentials | Thumbprints | CredentialsAndThumbprints | All | false]

Exclude FireFox NSS certificate store
(Linux and Mac)

efn=[true | false]

Exclude PEM file certificate store
(Linux and Mac)

epf=[true | false]

Exclude Mac native certificate store
(Mac only)

emn=[true | false]


Changing Local Policy Parameters Manually in the Local Policy

To change AnyConnect Local Policy parameters manually, follow this procedure:


Step 1 Retrieve a copy of the AnyConnect Local Policy file (AnyConnectLocalPolicy.xml) from a client installation.

Table 4-2 shows the installation path for each operating system.

Table 4-2 Operating System and AnyConnect Local Policy File Installation Path

Operating System
Installation Path

Windows 7

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client

Windows Vista

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client

Windows XP

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client

Windows Mobile

%PROGRAMFILES%\Cisco AnyConnect VPN Client

Linux

/opt/cisco/vpn

Mac OS X

/opt/cisco/vpn


Step 2 Edit the parameter settings. The example below shows the contents of the AnyConnect Local Policy file for Windows:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy acversion="2.4.140"
   xmlns=http://schemas.xmlsoap.org/encoding/
   xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd">
    <FipsMode>false</FipsMode>
    <BypassDownloader>false</BypassDownloader>
    <RestrictWebLaunch>false</RestrictWebLaunch>
    <StrictCertificateTrust>false</StrictCertificateTrust>
    <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
    <RestrictTunnelProtocols>false</RestrictTunnelProtocols>
</AnyConnectLocalPolicy>
 
   

Step 3 Save the file as AnyConnectLocalPolicy.xml and deploy the file to remote computers using corporate an IT software deployment system.


AnyConnect Local Policy Parameters and Values


Note If you omit a policy parameter in the profile file, the feature resorts to default behavior.


Table 4-3 describes the parameters in the AnyConnect Local Policy file and their values:.

Table 4-3 AnyConnect Local Policy File and their Values 

Parameter and Description
Values and Value Formats

acversion

Specifies the minimum version of the AnyConnect client capable of interpreting all of the parameters in the file. If a client older than the version specified reads the file, it issues an event log warning.

The format is acversion="<version number>".

xmlns

The XML namespace specifier. Most administrators do not change this parameter.

The format is a URL, for example:

xmlns=http://schemas.xmlsoap.org/encoding/

xsi:schemaLocation

The XML specifier for the schema location. Most administrators do not change this parameter.

The format is a URL, for example:

xsi:schemaLocation="http://schemas.xmlsoap.org/
encoding/AnyConnectLocalPolicy.xsd">

xmlns:xsi

The XML schema instance specifier. Most administrators do not change this parameter

The format is a URL, for example:

xmlns:xsi=http://www.w3.org/2001/
XMLSchema-instance

FipsMode

Enables FIPS mode for the client. The client uses only algorithms and protocols approved by the FIPS standard.

true—Enables FIPS mode.

false—Disables FIPS mode (default).

BypassDownloader

Disables the launch of the VPNDownloader.exe module, which is responsible for detecting the presence of and updating the local versions of the dynamic content.

true—The client does not check for dynamic content present on the ASA, including translations, customization, optional modules, and core software updates; however, the client will attempt to compare its VPN client profile to the one associated with its group policy on the ASA.

false—The client checks for dynamic content present on the ASA (default).

When the client attempts to connect to the ASA, both the client and the ASA must have the same VPN client profile installed. If they do not have the same VPN client profile, the client attempts to download the VPN client profile assigned to the selected ASA AnyConnect Connection Profile. If BypassDownloader is set to true, the client will not download the VPN client profile.

If the client does not download the VPN client profile, one of two things happens:

If the VPN client profile on the ASA is different than the one on the client, the client aborts the connection attempt because the policy defined by the VPN client profile on the ASA will not be enforced.

If there is no VPN client profile on the ASA, the client makes the VPN connection but it uses its hard-coded VPN client profile settings.


Note If you configure VPN client profiles on the ASA, they must be installed on the client prior to the client connecting to the ASA with BypassDownloader set to true. Because the profile can contain administrator defined policy, the BypassDownloader true setting is only recommended if you do not rely on the ASA to centrally manage client profiles.


RestrictWebLaunch

Prevents users from using a non-FIPS-compliant browser to obtain the security cookie used to initiate an AnyConnect tunnel by forbidding the use of WebLaunch and forcing users to connect using the AnyConnect FIPS-compliant stand-alone connection mode.

true—WebLaunch attempts fail and the client displays an informative message to the user.

false—Permits WebLaunch (default—behavior consistent with AnyConnect 2.3 and earlier).

StrictCertificateTrust

When authenticating remote security gateways, AnyConnect disallows any certificate that it cannot verify. Instead of prompting the user to accept these certificates, the client fails to connect to security gateways using self signed certificates

true—The client fails to connect to security gateways that use self- signed certificates and displays this message:

Local policy prohibits the acceptance of untrusted 
server certificates. A connection will not be 
established.
 
        

false—The client prompts the user to accept the certificate (default—behavior consistent with AnyConnect 2.3 and earlier).

RestrictPreferenceCaching

By design, AnyConnect does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the AnyConnect preferences.

Credentials—The user name and second user name are not cached.

Thumbprints—The client and server certificate thumbprints are not cached.

CredentialsAndThumbprints—certificate thumbprints and user names are not cached.

All—No automatic preferences are cached.

false—All preferences are written to disk (default—behavior consistent with AnyConnect 2.3 and earlier).

RestrictTunnelProtocols (currently not supported)

Forbids the use of certain tunnel protocol families to establish a connection to the ASA.

TLS—The client only uses IKEv2 and ESP to establish the tunnel, and will not use TLS/DTLS to communicate information to the secure gateway.

IPSec—The client only uses TLS/DTLS for authentication and tunneling.

false—Any encrypted protocol may be used in connection establishment (default).


Note If you forbid the use of TLS or other protocols, certain advanced features, such as the automatic upgrading of Secure Desktop, may not work.


ExcludeFirefoxNSSCertStore (Linux and Mac)

Permits or excludes the client from using the Firefox NSS certificate store to verify server certificates. The store has information about where to obtain certificates for client certificate authentication.

true—Excludes the Firefox NSS certificate store.

false—Permits the Firefox NSS certificate store (default).

ExcludePemFileCertStore (Linux and Mac)

Permits or excludes the client from using the PEM file certificate store to verify server certificates. The store uses FIPS-capable OpenSSL and has information about where to obtain certificates for client certificate authentication. Permitting the PEM file certificate store ensures remote users are using a FIPS-compliant certificate store.

true—Excludes the PEM file certificate store.

false—Permits the PEM file certificate store (default).

ExcludeMacNativeCertStore (Mac only)

Permits or excludes the client from using the Mac native (keychain) certificate store to verify server certificates.

true—Excludes the Mac native certificate store.

false—Permits the Mac native certificate store (default).

ExcludeWinNativeCertStore (Windows only, currently not supported)

Permits or excludes the client from using the Windows Internet Explorer native certificate store to verify server certificates.

true—Excludes the Windows Internet Explorer certificate store.

false—Permits the Windows Internet Explorer certificate store (default).


Local Policy File Example

The following is an example of the AnyConnect Local Policy file:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy acversion="2.4.140"
   xmlns=http://schemas.xmlsoap.org/encoding/
   xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd">
    <FipsMode>false</FipsMode>
    <BypassDownloader>false</BypassDownloader>
    <RestrictWebLaunch>false</RestrictWebLaunch>
    <StrictCertificateTrust>false</StrictCertificateTrust>
    <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
    <RestrictTunnelProtocols>false</RestrictTunnelProtocols>
</AnyConnectLocalPolicy>