|Broad operating System Support
● Windows 10, 8.1, 8, and 7
● Mac OS X 10.8 and later
● See the AnyConnect
Mobile data sheet for mobile platform information.
|Optimized network access: VPN protocol choice SSL
● AnyConnect provides a choice of VPN protocols, so administrators can use whichever protocol
best fits their business needs.
● Tunneling support includes SSL (TLS 1.2 and DTLS) and
next-generation IPsec IKEv2.
● DTLS provides an optimized connection for
traffic, such as VoIP traffic or TCP-based application access.
● TLS 1.2 (HTTP over TLS
SSL) helps ensure availability of network connectivity through locked-down environments, including those
using web proxy servers.
● IPsec IKEv2 provides an optimized connection for
latency-sensitive traffic when security policies require use of IPsec.
|Optimal gateway selection
● Determines and establishes connectivity to the optimal network-access point, eliminating the
need for end users to determine the nearest location.
● Designed for mobile users
● Can be configured so that the VPN connection
remains established during IP address changes, loss of connectivity, or hibernation or standby.
● With Trusted Network Detection, the VPN connection can automatically disconnect when an end
user is in the office and connect when a user is at a remote location.
● AES-256 and 3DES-168. (The security gateway device must have a strong-crypto license
● NSA Suite B algorithms, ESPv3 with IKEv2, 4096-bit RSA keys, Diffie-Hellman
group 24, and enhanced SHA2 (SHA-256 and SHA-384). Applies only to IPsec IKEv2 connections. An AnyConnect
Apex license is required.
|Wide range of deployment and connection options
● Predeployment, including Microsoft
● Automatic security gateway deployment (administrative rights are required for initial
installation) by ActiveX (Windows only) and Java
● Standalone by system icon
● Browser-initiated (web launch)
● Clientless portal initiated
● CLI initiated
● API initiated
|Wide range of authentication options
● RADIUS with password expiry (MSCHAPv2) to NT LAN Manager
● RADIUS one-time password (OTP) support (state and reply message
● RSA SecurID (including SoftID integration)
● Active Directory or
● Embedded certificate authority (CA)
● Digital certificate or
smartcard (including machine-certificate support), auto- or user-selected
Directory Access Protocol (LDAP) with password expiry and aging
● Generic LDAP
● Combined certificate and username-password multifactor authentication (double
|Consistent user experience
● Full-tunnel client mode supports remote-access users requiring a consistent LAN-like user
● Multiple delivery methods help ensure broad compatibility of
● User may defer pushed updates.
● Customer experience
feedback option is available.
|Centralized policy control and management
● Policies can be preconfigured or configured locally and can be automatically updated from
VPN security gateway.
● API for AnyConnect eases deployments through webpages or
● Checking and user warnings are issued for untrusted certificates.
● Certificates can be viewed and managed locally.
|Advanced IP network connectivity
● Public connectivity to and from IPv4 and IPv6 networks
● Access to internal
IPv4 and IPv6 network resources
● Administrator-controlled split-tunneling and
all-tunneling network access policy
● Access control policy
policy for Google Android (Lollipop) and Samsung KNOX (new in Release 4.0; requires Cisco ASA
5500-X with OS 9.3 or later and AnyConnect 4.0 licenses)
IP address assignment
● Internal pool
Host Configuration Protocol (DHCP)
|Robust unified endpoint compliance
(Apex license required)
● Endpoint posture assessment and remediation is supported for wired and wireless environments
(replacing the Cisco Identity Services Engine NAC Agent). Requires Identity Services Engine 1.3 or later
with Identity Services Engine Apex license.
● Cisco Hostscan seeks to detect the presence
of antivirus software, personal firewall software, and Windows service packs on the endpoint system prior
granting network access.
● Administrators also have the option of defining custom posture
checks based on the presence of running processes.
● Hostscan detects the presence of a
watermark on a remote system. The watermark can be used to identify assets that are corporate owned and
provide differentiated access as a result. The watermark-checking capability includes system registry
values, file existence matching a required CRC32 checksum, IP address range matching, and certificates
issued by or to a matching certificate authority. Additional capabilities are supported for
● Functions vary by operating system. See the Host
Scan Support charts for detailed information.
|Client firewall policy
● Provides added protection for split-tunneling configurations.
● Used in
conjunction with the AnyConnect client to allow for local-access exceptions (for example, printing,
device support, and so on).
● Supports port-based rules for IPv4 and network and IP
control lists (ACLs) for IPv6.
● Available for Windows and Mac OS X platforms.
In addition to English, the following language translations are included:
● Czech (cs-cz)
● German (de-de)
● Spanish (es-es)
● French (fr-fr)
● Japanese (ja-jp)
● Korean (ko-kr)
● Polish (pl-pl)
● Simplified Chinese (zh-cn)
● Dutch (nl-nl)
● Hungarian (hu-hu)
● Italian (it-it)
● Portuguese (Brazil) (pt-br)
|Ease of client administration
● Administrators can automatically distribute software and policy updates from the headend
security appliance, thereby eliminating administration associated with client software updates.
● Administrators can determine which capabilities to make available for end-user
● Administrators can trigger an endpoint script at connect and disconnect
times when domain login scripts cannot be utilized.
● Administrators can fully customize
and localize end-user visible messages.
● AnyConnect policies may be customized directly from Cisco Adaptive Security Device Manager
● On-device statistics and logging information are available.
● Logs can be
viewed on device.
● Logs can be easily emailed to Cisco or an administrator for analysis.
|Federal Information Processing Standard (FIPS)
● FIPS 140-2 level 2 compliant (platform, feature, and version restrictions apply)
|Secure Mobility and Network
|Web security integration
(Cloud Web Security license
● Uses Cloud Web Security, the largest global provider of oftware-as-a-ervice (SaaS) web security, to keep malware off corporate networks
control and safeguard employee web usage.
● Supports cloud-hosted configurations and
● Gives organizations flexibility and choice by supporting cloud-based
services in addition to premises-based services.
● Integrates with the Web Security
● Supports Trusted Network Detection.
● Enforces security
policy in every transaction, independent of user location.
● Requires always-on highly
secure network connectivity with a policy to permit or deny network connectivity if access becomes
● Detects hotspots and captive portals.
|Network Visibility module
(Apex license required)
● Uncover potential behavior anomalies by monitoring application usage.
● Allows for more informed network-design decisions.
● Can share usage data
a growing number of Internet Protocol Flow Information Export (IPFIX)-capable network-analysis tools.
|Advanced Malware Protection (AMP) for Endpoints Enabler
for Endpoints licensed separately)
● Simplifies the enablement of threat services to AnyConnect endpoints by distributing
enabling CiscoAMP for Endpoints.
● Extends endpoint threat services to remote
endpoints, increasing endpoint threat coverage.
● Provides more proactive protection
to further assure an attack is mitigated at the remote endpoint quickly.
|Broad operating system support
● Windows 10, 8.1, 8, and 7
● Mac OS X 10.8 and later
|Network Access Manager and 802.1X
● Ethernet (IEEE 802.3)
● Wi-Fi (IEEE 802.11a/b/g/n)
● IEEE 802.1X-2001, 802.1X-2004, and 802.1X-2010
● Enables businesses to
a single 802.1X authentication framework to access both wired and wireless networks.
● Manages the user and device identity and the network access protocols required for highly
● Optimizes the user experience when connecting to a Cisco unified wired
|Extensible Authentication Protocol (EAP) methods
● EAP-Transport Layer Security (TLS)
● EAP-Protected Extensible
Protocol (PEAP) with the following inner methods:
- EAP-Generic Token Card (GTC)
● EAP-Flexible Authentication via Secure Tunneling (FAST) with the following inner
● EAP-Tunneled TLS (TTLS) with the following inner methods:
Authentication Protocol (PAP).
- Challenge Handshake Authentication Protocol
- Microsoft CHAP (MSCHAP).
● Lightweight EAP
● EAP-Message Digest 5 (MD5), administrative configured, Ethernet only
● EAP-MSCHAPv2, administrative configured, Ethernet only
administrative configured, Ethernet only
|Wireless encryption methods (requires corresponding 802.11 NIC
● Wired Equivalent Privacy (WEP)
● Dynamic WEP
● Wi-Fi Protected Access (WPA) Enterprise
● WPA2 Enterprise
● WPA Personal (WPA-PSK)
● WPA2 Personal (WPA2-PSK)
(requires Cisco CB21AG Wireless NIC)
|Wireless encryption protocols
● Counter mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) using
Advanced Encryption Standard (AES) algorithm
● Temporal Key Integrity Protocol (TKIP)
the Rivest Cipher 4 (RC4) stream cipher
● RFC2716 (EAP-TLS) session resumption using EAP-TLS, EAP-FAST, EAP-PEAP, and EAP-TTLS
● EAP-FAST stateless session resumption
● PMK-ID caching (Proactive Key
or Opportunistic Key Caching), Windows XP only
● Media Access Control: IEEE 802.1AE (MACsec)
● Key management: MACsec Key
● Defines a security infrastructure on a wired Ethernet network to
data confidentiality, data integrity, and authentication of data origin.
communication between trusted components of the network.
|One connection at a time
● Allows only a single connection to the network, disconnecting all others.
● No bridging between adapters.
● Ethernet connections automatically take
|Complex server validation
● Supports “ends with” and “exact match” rules.
● Support for more than 30
rules for servers with no name commonality.
● Differentiates access based on enterprise and non-enterprise assets.
● Validates users and devices in a single EAP transaction.
|Enterprise Connection Enforcement (ECE)
● Helps ensure that users connect only to the correct corporate network.
● Prevents users from connecting to a third-party access point to surf the Internet while in
● Prevents users from establishing access to the guest network.
● Eliminates cumbersome blacklisting.
|Next-generation encryption (Suite B)
● Supports the latest cryptographic standards.
● Elliptic Curve
● Elliptic Curve Digital Signature Algorithm (ECDSA) certificates
● Interactive user passwords or Windows passwords
● RSA SecurID tokens
● One-time password (OTP) tokens
● Smartcards (Axalto, Gemplus, SafeNet iKey,
● X.509 certificates.
● Elliptic Curve Digital Signature
Algorithm (ECDSA) certificates.
|Remote desktop support
● Authenticates remote user credentials to the local network when using Remote Desktop
|Operating systems supported
● Windows 10, 8.1, 8 and 7