Table of Contents
- Supported Apple iOS Devices
- Upgrading AnyConnect
- New Features in AnyConnect 3.0.09353
- New Features in AnyConnect 3.0.09266
- New Features in AnyConnect 3.0.09231
- New Features in AnyConnect 3.0.09179
- New Features in AnyConnect 3.0.09115
- New Features in AnyConnect 3.0.09097
- Apple iOS AnyConnect Features
- Adaptive Security Appliance Requirements
- Known Issues and Limitations
- AnyConnect Support Policy
- AnyConnect License Agreements
- Related Documentation
These release notes provide only Apple iOS-specific information for the AnyConnect Secure Mobility client. This document supplements the Cisco AnyConnect Administrator Guides . You can deploy later releases of AnyConnect for other devices simultaneously with this release.
This release of AnyConnect provides remote users with secure VPN connections to the Cisco ASA 5500 Series using the Secure Socket Layer (SSL) protocol and the Datagram TLS (DTLS) protocol, or Internet Protocol Security (IPsec) Internet Key Exchange version 2 (IKEv2).
This release provides seamless and secure remote access to enterprise networks. The client provides a full tunneling experience that allows any installed application to communicate as though connected directly to the enterprise network. It runs on the Apple iPhone, iPad, and iPod Touch supporting connections to IPv4 and IPv6 resources over an IPv4 network tunnel.
If your users fail to do this, AnyConnect may fail to connect after the upgrade with the following error: “Could not connect to VPN server, Please verify internet connectivity and server address.” AnyConnect will then require a reboot of the device before using the new version.
- Close the AnyConnect application if it is open.
- To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection after upgrading.
Review the current Known Issues and Limitations to be aware of operational considerations.
- The minimum key size for server certificates accepted by the client will be 2048 bits. Server certificates with smaller key sizes (< 2048) will be rejected and the explicit reason will be logged and displayed to the user. This applies to all certificates in the chain.
- SHA-1 shall not be used for digital signatures. Only SHA256 or greater is now supported in FIPS mode.
- There is no change in client certificate processing.
See Resolved Issues in AnyConnect 3.0.09266 for Apple iOS, for additional fixes in this release. Cisco recommends that you upgrade to this latest release of AnyConnect.
See Resolved Issues in AnyConnect 3.0.09231 for Apple iOS, for specific bugs fixed in this release. Cisco recommends that you upgrade to this latest release of AnyConnect.
Apple iOS 7 does not support Connect on Demand (COD) Always Connect domains. Domains in this category will be treated as Connect if Needed domains on Apple iOS 7. See Using the Connect on Demand Feature in the Cisco AnyConnect Secure Mobility Client Administrator Guide, for additional information about using the Apple iOS Connect On Demand feature.
Consequently, AnyConnect for Apple iOS no longer supports the 1st generation iPad device or the 3rd generation iPod Touch device. See the current list of Supported Apple iOS Devices.
- Curently, AnyConnect is not compatible with the iPhone 5S (64-bit). Cisco will provide compatibility information as soon as it is available.
- This release now supports full screen mode on iPhone 5 devices.
See Resolved Issues in AnyConnect 3.0.09179 for Apple iOS, for specific bugs fixed in this release. Cisco recommends that you upgrade to this latest release of AnyConnect.
AnyConnect 3.0.09115 is a maintenance release, see Resolved Issues in AnyConnect 3.0.09115 for Apple iOS. Cisco recommends that you upgrade to this latest release of AnyConnect.
The AnyConnect client uses a proprietary AnyConnect EAP authentication method with ASA secure gateways. Standards-based EAP authentication methods are also available, however, using the standards-based method disables some AnyConnect features. The client supports the following standards-based authentication methods:
On the ASA, you enable IPsec connections for users in the group policy. For the AnyConnect client, you specify the primary protocol (IPsec or SSL) for each ASA in the server list of the client profile.
AnyConnect 3.0 for mobile devices incorporates Cisco Common Cryptographic Module (C3M), the Cisco SSL implementation which includes FIPS 140-2 compliant cryptography modules and NSA Suite B cryptography as part of its Next Generation Encryption (NGE) algorithms.
Use of cryptography algorithms is negotiated with the headend while connecting. Negotiation is dependent on the capabilities of both ends of the VPN connection. Therefore, the secure gateway must also support FIPS-compliant and Suite B cryptography.
The user configures AnyConnect to accept only NGE algorithms during negotiation by enabling FIPS Mode in the AnyConnect settings. When FIPS Mode is disabled, AnyConnect also accepts non-FIPS cryptography algorithms for VPN connections.
- ECDSA support (256-, 384-, 512-bit elliptic curves) for digital signature, asymmetric encryption, and authentication
- FIPS and/or Suite B support is required on the secure gateway. Cisco provides Suite B capability on the ASA version 9.0 and later, and FIPS capability on the ASA version 8.4.1 and later.
- An AnyConnect Premium license is required for FIPS or Suite B remote access connections to the ASA.
- VPN connections require server certificates that contain Key Usage attributes of Digital Signature and Key Encipherment, as well as an Enhanced Key Usage attribute of Server Authentication, or IKE Intermediate for IPsec. Server certificates not containing a Key Usage are considered invalid for all Key Usages. Similarly, a server certificate not containing an Enhanced Key Usage is considered invalid for all Enhanced Key Usages.
- Suite B is available only for IKEv2/IPsec.
- A device that is running in FIPS mode is not compatible with using SCEP to provide mobile users with digital certificates, proxy method or legacy method. Plan your deployment accordingly.
- No EAP methods support SHA-2 except in TLS-based EAP when validating certificates signed using SHA-2.
- ECDSA certificates must have a Digest strength equal to or greater than the Curve strength. For example, an EC-384 key must use SHA2-384 or greater.
- VPN connections perform name verification on server certificates. The following rules are applied to name verification:
– If a Subject Alternative Name extension is present with relevant attributes, name verification uses only the Subject Alternative Name. Relevant attributes include DNS Name attributes for all certificates and also include IP address attributes, if the connection is being performed to an IP address.
– If a certificate uses a wildcard for the purposes of name verification, the wildcard must be in the first (left-most) subdomain only and must be the last (right-most) character in the subdomain. Any wildcard entry not in compliance is ignored for the purposes of name verification.
The AnyConnect URI Handler simplifies AnyConnect setup and activities by servicing requests in the form of Universal Resource Indicators (URIs). Administrators embed URIs as links on web pages or in e-mail messages and then give users instructions to access them. The following enhancements have been made to the URI Handler in AnyConnect 3.0:
- Parameters have been added to the anyconnect:create command to create IPsec connection entries, for example:anyconnect:create?name=Description&host=vpn.company.com&protocol=IPsec&authentication=eap-md5&ike-identity=012A4F8B29A9BCD
– authentication: Specifies the authentication method used for an IPsec VPN connection. The valid values are EAP-AnyConnect, EAP-GTC, EAP-MD5, EAP-MSCHAPv2, or IKE-RSA. This parameter is optional; it applies when protocol specifies
IPseconly and defaults to EAP-AnyConnect if unspecified.
For URI details, see “Using the URI Handler to Generate a VPN Connection Entry” section in Chapter 13, “Administering AnyConnect for Mobile Devices” of the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.0 manual.
- Extensions have been made to the anyconnect:connect command to open a specified URL or close the AnyConnect UI based on the results of the connect action. For example:anyconnect://connect?host=vpn.company.com&onerror=http%3A%2F%2Fwww.cisco.com%2Ffailure.html&onsuccess=http%3A%2F%2Fwww.cisco.com
For URI details, see Using the URI Handler to Establish a VPN Connection section in Chapter 13, “Administering AnyConnect for Mobile Devices” of the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.0 manual.
A user is given the opportunity to import a server certificate if it is not automatically accepted by AnyConnect. Only valid, trusted server certificates are automatically accepted by AnyConnect. See Blocking Untrusted Servers below for the procedure to do this.
Valid, but untrusted server certificates are reviewed, authorized, and imported by the user. Once this server certificate is imported into the AnyConnect store, subsequent connections made to the server using this digital certificate are automatically accepted. The server certificate can be removed from the AnyConnect certificate store if it is no longer needed.
A new Block Untrusted Servers application setting determines how AnyConnect blocks connections if it cannot identify the secure gateway. This protection is ON by default; it can be turned OFF by the user, but this is not recommended.
AnyConnect uses the digital certificate received from the server to verify its identify. If the certificate is invalid (there is a certificate error due to an expired or invalid date, wrong key usage, or a name mismatch), or if it is untrusted (the certificate cannot be verified by a Certificate Authority), or both, the connection is blocked. A blocking message displays, and the user must choose how to proceed.
- Keep Me Safe to terminate this connection and remain safe.
- Change Settings to turn the Block Untrusted Servers application preference OFF, but this is not recommended. After the user disables this security protection, they must reinitiate the VPN connection.
- Cancel the connection and remain safe.
- Continue the connection, but this is not recommended.
- View Details of the certificate.
– Import the server certificate into the AnyConnect certificate store for future use and continue the connection by selecting Import and Continue. Once this certificate is imported into the AnyConnect store, subsequent connections made to the server using this digital certificate are automatically accepted.
Leaving the Block Untrusted Servers setting ON, having a valid, trusted server certificate configured on your secure gateway, and instructing your mobile users to always choose Keep Me Safe is the safest configuration for VPN connectivity to your network.
Simple Certificate Enrollment Protocol (SCEP) Proxy provides secure deployment of device certificates from third-party Certificate Authorities (CAs). It allows a mobile user to enroll with an internal CA without exposing the CA to external access.
With AnyConnect 3.0, an ASA 9.0 or later acts as a proxy for SCEP requests and responses that flow between the AnyConnect mobile device and the internal CA. Mobile devices rely on the ASA to know the identity of the CA, and do not access them directly. The received certificate is used to automatically connect after being imported into the AnyConnect certficiate store on the mobile device.
For more information, see “Configuring Certificate Enrollment using SCEP” section in the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.0 manual.
- Depending on network characteristics, SCEP proxy activity can take more than a few seconds. The user receives a message when the certificate has been received by the AnyConnect client.
- Using SCEP for certificate enrollment, proxy method or legacy method, is not compatible with mobile devices running in FIPS mode. Plan your deployment accordingly.
- Extends the Connect on Demand functionality by determining whether the user is on a trusted network.
- Applies to Wi-Fi connectivity only. When operating over other types of network connections, Connect on Demand does not use TND to determine whether a VPN should be connected.
- Is not a separate feature and cannot be configured or used outside of the Connect on Demand capabilities.
- Application preferences are now set inside the AnyConnect application by choosing Settings from the AnyConnect menu. Additional application settings have been added:
– A new Block Untrusted VPN setting has been added to the Settings screen. See the “Blocking Untrusted Servers“ section for details.
– A new FIPS Mode setting has been added to the Settings screen. See the “FIPS and Suite B Cryptography“ section for details.
- An Advanced screen has been added to the Connection Editor to configure connection settings beyond the required Server Address and Description: Network Roaming, Certificate, Connect On Demand, and the IPsec Tunnel Protocol settings.
- User-authorized server certificates are now imported and stored in the AnyConnect certificate store; see the “Server Certificate Management Enhancements” section for details.
- Email Logs now prompt the user for a problem description and reproduction steps.
- Suite B (IPsec only)
- FIPS 140-2 Level 1
- Client Certificate Authentication
- Auto Reconnect (regardless of the Auto Reconnect profile specification, AnyConnect Mobile always attempts to maintain the VPN as users move between cellular and WiFi networks)
- Routing Policy
- Network Roaming
- TLS Compression
- Cisco Profile Support
- Profile Update
- IPv6 over IPv4
- Post-Login Banner
- Dead Peer Detection
- Tunnel Keepalive
- Backup Server List
- Default Domain
- Cluster Support
- DNS Server Configuration
- Private-side Proxy Support
- Network Change Monitoring
- Graphical User Interface
- Pre-login Banner
- Secure Certificate Enrollment Protocol (SCEP)
- SCEP Proxy
- Certificate Management
ASA models support the Cisco AnyConnect Secure Mobility client for Apple iOS. See the Adaptive Security Appliance VPN Compatibility Reference for a complete list of compatibility requirements.
- ASA Release 8.0(3) and Adaptive Security Device Manager (ASDM) 6.1(3) are the minimum releases that support AnyConnect for mobile devices.
- You must upgrade to ASA 9.0 to use the following mobile features:
- An AnyConnect core license granting VPN access for a total number of simultaneous sessions. Satisfy this requirement with one of the following options, each which supports full client access from the desktop: Cisco AnyConnect Essentials license or Cisco AnyConnect Premium Clientless VPN Edition license.
- AnyConnect Mobile license for mobile device access.
These licenses are mutually exclusive per ASA, but you can configure a mixed network. Both the AnyConnect Essentials and AnyConnect Mobile licenses are nominally priced. We offer the following trial options:
- If you have an AnyConnect Essentials or Premium license and you would like to obtain a three-month trial Mobile AnyConnect license, go to the following website: https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=717
- If you would like to obtain both an AnyConnect Essentials or Premium license and an AnyConnect Mobile license, or you have questions about licensing, email us a request with the show version output from your ASA to email@example.com.
For brief descriptions and example product numbers (SKUs) of the AnyConnect user license options, see Cisco Secure Remote Access: VPN Licensing Overview .
For the latest details about the AnyConnect user license options, see Managing Feature Licenses in the Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3 .
- Cisco IOS routers do not support the Cisco AnyConnect Secure Mobility client for Apple iOS at this time.
- This release of AnyConnect for Apple iOS supports only the features that are strictly related to remote access.
- AnyConnect supports the following types of VPN configurations:
– iPhone Configuration Utility generated. For details about the iPhone Configuration Utility see http://www.apple.com/support/iphone/enterprise/
- The VPN configurations generated by the iPhone Configuration Utility do not support Network Roaming. If your users require Network Roaming, use an AnyConnect profile.
- The Apple iOS device supports no more than one AnyConnect VPN client profile. The contents of the generated configuration always matches the most recent profile. For example, if a user goes to vpn.example1.com and then goes to vpn.example2.com, the AnyConnect VPN client profile imported from vpn.example2.com replaces the one imported from vpn.example1.com.
- This release supports the tunnel keepalive feature; however, it can reduce the battery life of the device. Increasing the update interval value can mitigate that issue.
- Apple iOS 7 does not support Connect on Demand (COD) Always Connect domains. Domains in this category will be treated as Connect if Needed domains.
- AnyConnect collects device information when the UI is launched and a VPN connection is initiated. Therefore, there are circumstances in which AnyConnect can mis-report mobile posture information if the user relies on iOS’s Connect On Demand feature to make a connection initially, or after device information, such has the OS version, has changed.
- To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message “The VPN Connection requires an application to start up” will display.
Also see Using the Connect on Demand Feature in the Cisco AnyConnect Secure Mobility Client Administrator Guide, for additional information about using Connect On Demand.
- A DTLS packet received while the device is asleep does not awaken it. TLS packets, however, awaken the device if notifications or Facetime is enabled. AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received over the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.
- Voice applications running in the background on an iPod Touch cannot receive packets over VPN. This functionality works as expected on iPhone devices.
- If a VPN configuration contains a large number of routes or split-dns rules, the Apple device cannot establish a VPN connection. This bug occurs, for example, if, upon connection, an ASA configuration pushes a VPN split-include list that has 70 or more rules that direct traffic to individual subnets. To prevent this bug from impacting users, apply a tunnel-all configuration or reduce the number of rules.
- AnyConnect may become slow or crash when there are a large number of VPN connections configured on the mobile device.
- Apple iOS Permits All Local LAN Traffic with Tunnel-all:Apple iOS permits traffic that is essential for the core operation of the device, regardless of whether a tunnel-all policy is in force. Examples of traffic that Apple iOS sends in the clear regardless of the tunnel policy include:
Cisco supports all AnyConnect software versions downloaded from the iTunes App Store; however, fixes and enhancements are provided only in the most recently released version. Cisco is not able to provide earlier versions of AnyConnect for Apple iOS as only the most recently released version is available from the iTunes App Store.
For the end-user license agreement for this product, see Cisco End User License Agreement, AnyConnect Secure Mobility Client, Release 3.0 .
For Open Source License information for this product, see Open Source Software Used in Cisco AnyConnect Secure Mobility Client, Release 3.0 for Mobile
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.