Cisco Secure Client (including AnyConnect)
AnyConnect is now known as Cisco Secure Client

Broad operating system support

Windows 11 (64-bit), current Microsoft supported versions of Windows 10 x86 (32-bit) and x64 (64-bit), and Windows 8

Microsoft-supported versions of Windows 11 for ARM64-based

Microsoft-supported versions of Windows 10 for ARM64-based PCs

Note:Cisco Secure Client 5.0 is Windows 10/11 Only. AnyConnect supports all the above.

macOS 12, 11.2, 10.15, and 10.14 (all 64-bit)

Red Hat

Ubuntu

SUSE (SLES)

See mobile data sheet for Mobile OS support

Software access

Downloads are available in the Cisco.com Software Center

Technical support and software entitlement for AnyConnect is included with all term-based Plus and Apex licenses, and it can be purchased separately for the Plus perpetual license

The contract number must be linked to Cisco.com ID

Optimized network access: VPN protocol choice SSL

(TLS and DTLS); IPsec IKEv2

AnyConnect provides a choice of VPN protocols, so administrators can use whichever protocol best fits their business needs

Tunneling support includes SSL (TLS 1.2 and DTLS 1.2) and next-generation IPsec IKEv2

DTLS provides an optimized connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access

TLS 1.2 (HTTP over TLS or SSL) helps ensure availability of network connectivity through locked-down environments, including those using web proxy servers

IPsec IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require use of IPsec

Optimal gateway selection

Determines and establishes connectivity to the optimal network-access point, eliminating the need for end users to determine the nearest location

Mobility friendly

Designed for mobile users

Can be configured so that the VPN connection remains established during IP address changes, loss of connectivity, or hibernation or standby

With Trusted Network Detection, the VPN connection can automatically disconnect when an end user is in the office and connect when a user is at a remote location

Encryption

TLS/DTLS 1.2 strong ciphers supported

Next-generation encryption, including NSA Suite B algorithms, ESPv3 with IKEv2, 4096-bit RSA keys, Diffie-Hellman group 24, and enhanced SHA2 (SHA-256 and SHA-384). Applies only to IPsec IKEv2 connections. Premier (formerly AnyConnect Apex) is required

Wide range of deployment options

Deployment options:

Predeploy—New installations and upgrades are done either by the end user or by using an enterprise Software Management System (SMS)

Web Deploy—The Cisco Secure Client package is loaded on the headend, which is either a Secure Firewall ASA, Secure Firewall Threat Defense, or an ISE server. When the user connects to a firewall or to ISE, Cisco Secure Client is deployed to the client

SecureX Cloud Management Deployment— Cisco Secure Client 5.0 can be deployed from the Cloud using customizable deployments

Wide range of authentication options

Protocols:

SAML 2.0 with Embedded or Native Browser (SSO)

RADIUS

LDAP

Certificate.

TACACS+

HTTP Form

SDI

Kerberos

Headend Methods

AAA

AAA and Certificate

Certificate Only

SAML

Multiple Certificates and AAA

Consistent user experience

Full-tunnel client mode supports remote-access users requiring a consistent LAN-like user experience

Multiple delivery methods help ensure broad compatibility of AnyConnect

User may defer client software updates if configured by the Administrator

Customer experience feedback option is available

Centralized policy control and management

Policies can be preconfigured or configured locally and can be automatically updated from the VPN security gateway

API for AnyConnect eases deployments through webpages or applications

Checking and user warnings are issued for untrusted certificates

Cisco Secure Client supports deployment and management using the SecureX platform

Advanced IP network connectivity

Public connectivity to and from IPv4 and IPv6 networks

Access to internal IPv4 and IPv6 network resources

Administrator-controlled split-tunneling (Network and Dynamic (domain) and full tunnel network access policy

Access control policy using Dynamic Access Polices or the identity Services Engine

Per-app VPN policy for Apple iOS and Google Android

IP address assignment mechanisms:

Static

Internal pool

Dynamic Host Configuration Protocol (DHCP)

RADIUS/Lightweight Directory Access Protocol (LDAP)

Robust unified endpoint compliance

(Premier formerly Apex license required)

Endpoint posture assessment and remediation is supported for wired and wireless environments (replacing the Cisco Identity Services Engine NAC Agent). Requires Identity Services Engine (ISE) 1.3 or later with Identity Services Engine Apex license

ISE Posture (working in conjunction with ISE) and Host Scan (VPN only) seeks to detect the presence of anti-malware software, Windows service packs/patching state, and range of other software services on the endpoint system prior to granting network access

Administrators also have the option of defining custom posture checks based on the presence of running processes

ISE Posture and Host Scan can detect the presence of a watermark on a remote system. The watermark can be used to identify assets that are corporate owned and provide differentiated access as a result. The watermark-checking capability includes system registry values, file existence matching a required CRC32 checksum, and a range of other capabilities. Additional capabilities are supported for out-of-compliance applications

Client firewall policy

Provides added protection for split-tunneling configurations

Used in conjunction with the AnyConnect and Cisco Secure Client to allow for local-access exceptions (for example, printing, tethered device support, and so on)

Supports port-based rules for IPv4 and network and IP Access Control Lists (ACLs) for IPv6

Available for Windows and Mac OS X platforms

Localization

In addition to English, the following language translations are included:

cs-CZ Czech (Czech Republic)

de-DE German (Germany)

es-ES Spanish (Spain)

fr-CA French (Canada)

fr-FR French (France)

hu-HU Hungarian (Hungary)

it-IT Italian (Italy)

ja-JP Japanese (Japan)

ko-KR Korean (Korea)

nl-NL Dutch (Netherlands)

pl-PL Polish (Poland)

pt-BR Portuguese (Brazil)

ru-RU Russian (Russia)

zh-CN Chinese (China)

zh-HANS Chinese (Simplified)

zh-HANT Chinese (Traditional)

zh-TW Chinese (Taiwan)

Ease of client administration

Administrators can automatically distribute software and policy updates from the headend security appliance thereby eliminating administration associated with client software updates. Cisco Secure Client 5.0 also offers administrators the ability to deploy and manage the client from the SecureX Cloud.

Administrators can determine which capabilities to make available for end-user configuration

Administrators can trigger an endpoint script at connect and disconnect times when domain login scripts cannot be utilized

Administrators can fully customize and localize end-user visible messages

Profile editor

AnyConnect policies may be customized directly from Cisco Adaptive Security Device Manager (ASDM)

Stand-alone Profile Editor

SecureX Cisco Secure Client Profile page

Diagnostics

On-device statistics and logging information are available

Logs can be viewed on device

Logs can be easily emailed to Cisco or an administrator for analysis

Federal Information Processing Standard (FIPS)

FIPS 140-2 level 2 compliant (platform, feature, and version restrictions apply)

Cisco Umbrella Roaming (Cisco Umbrella Roaming license required)

The Umbrella Roaming Security module requires a subscription to a Umbrella Roaming Security service with either the Professional, Insights, Platform, or MSP package. Umbrella Roaming Security provides DNS-layer security when no VPN is active, and a Cisco Umbrella subscription adds Intelligent Proxy. Additionally, Cisco Umbrella subscriptions provide content filtering, multiple policies, robust reporting, active directory integration, and much more. The same Umbrella Roaming Security module is used regardless of the subscription.

● Enforce security for roaming devices when the VPN is off

● Automatically block malware, phishing, and C2 callbacks on roaming devices

● Simplest way to protect devices anywhere they go

Utilize endpoint redirection to enforce DNS-based security when the VPN is off or with split tunnels (applies to communication outside tunnel).

Network Visibility module (Premier formerly Apex license required)

Capture endpoints flows with rich user, endpoint, application, location, and destination context

Flexible collection settings on and off premise

Uncover potential behavior anomalies by monitoring application usage

Allows for more informed network-design decisions

Usage data can be shared with NetFlow analysis tools such as Cisco Network Analytics

Cisco Secure Endpoint formerly Advanced Malware Protection (AMP) for Endpoints

(Cisco Secure Endpoints licensed separately)

Cisco Secure Client brings together both AnyConnect VPN/ZTNA and Cisco Secure Endpoint capabilities

Extends endpoint threat services to remote endpoints, increasing endpoint threat coverage

Provides more proactive protection to further assure an attack is mitigated at the remote endpoint quickly

macOS endpoints can continue to use standalone Secure Endpoint client

Media support

● Ethernet (IEEE 802.3)

● Wi-Fi (IEEE 802.11)

Network authentication

●IEEE 802.1X-2001, 802.1X-2004, and 802.1X-2010

●Enables businesses to deploy a single 802.1X authentication framework to access both wired and wireless networks

●Manages the user and device identity and the network access protocols required for highly secure access

●Optimizes the user experience when connecting to a Cisco unified wired and wireless network

Extensible Authentication Protocol (EAP) methods

● EAP-Transport Layer Security (TLS)

●EAP-Protected Extensible Authentication Protocol (PEAP) with the following inner methods:

● EAP-TLS

● EAP-MSCHAPv2

● EAP-Generic Token Card (GTC)

● EAP-Flexible Authentication via Secure Tunneling (FAST) with the following inner methods:

● EAP-TLS

● EAP-MSCHAPv2

● EAP-GTC

● EAP-Tunneled TLS (TTLS) with the following inner methods:

● Password Authentication Protocol (PAP)

● Challenge Handshake Authentication Protocol (CHAP)

● Microsoft CHAP (MSCHAP)

● MSCHAPv2

● EAP-MD5

● EAP-MSCHAPv2

●Lightweight EAP (LEAP), Wi-Fi only

●EAP-Message Digest 5 (MD5), administrative configured, Ethernet only

● EAP-MSCHAPv2, administrative configured, Ethernet only

● EAP-GTC, administrative configured, Ethernet only

Wireless encryption methods (requires corresponding 802.11 NIC support)

●Open

●Wired Equivalent Privacy (WEP)

●Dynamic WEP

●Wi-Fi Protected Access (WPA) Enterprise

●WPA2 Enterprise

●WPA Personal (WPA-PSK)

●WPA2 Personal (WPA2-PSK)

Wireless encryption protocols

Counter mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) using the Advanced Encryption Standard (AES) algorithm

Session resumption

RFC2716 (EAP-TLS) session resumption using EAP-TLS, EAP-FAST, EAP-PEAP, and EAP-TTLS

EAP-FAST stateless session resumption

Ethernet encryption

Media Access Control: IEEE 802.1AE (MACsec)

Key management: MACsec Key Agreement (MKA)

Defines a security infrastructure on a wired Ethernet network to provide data confidentiality, data integrity, and authentication of data origin

Safeguards communication between trusted components of the network

One connection at a time

(Windows only with Network Access Manager)

Allows only a single connection to the network disconnecting all others

No bridging between adapters

Ethernet connections automatically take priority

Complex server validation

Supports “ends with” and “exact match” rules

Support for more than 30 rules for servers with no name commonality

EAP-Chaining (EAP-FASTv2)

Differentiates access based on enterprise and non-enterprise assets

Validates users and devices in a single EAP transaction

Enterprise Connection Enforcement (ECE)

Helps ensure that users connect only to the correct corporate network

Prevents users from connecting to a third-party access point to surf the Internet while in the office

Prevents users from establishing access to the guest network

Eliminates cumbersome blocked listing

Next-generation encryption (Suite B)

Supports the latest cryptographic standards:

Elliptic Curve Diffie-Hellman key exchange

Elliptic Curve Digital Signature Algorithm (ECDSA) certificates

Credential types

● Interactive user passwords or Windows passwords

● RSA SecurID tokens

● One-time password (OTP) tokens

● Smartcards (Axalto, Gemplus, SafeNet iKey, Alladin)

● X.509 certificates

● Elliptic Curve Digital Signature Algorithm (ECDSA) certificates