Cisco Secure Client (including AnyConnect) Features, License, and OSs, Release 5.x
This document identifies the Cisco Secure Client release 5.1 features, license requirements, and endpoint operating systems that are supported in the Secure Client (including AnyConnect). It also includes supported crytographic algorithms and accessibility recommendations.
Supported Operating Systems
Cisco Secure Client 5.1 supports the following operating systems.
Windows
-
Windows 11 (64-bit)
-
Microsoft-supported versions of Windows 11 for ARM64-based PCs (Supported only in VPN client, DART, Secure Firewall Posture, Network Visibility Module, Umbrella Module, ISE Posture, and Zero Trust Access Module)
-
Windows 10 x86(32-bit) and x64 (64-bit)
macOS (64-bit only)
-
macOS 15 Sequoia
-
macOS 14 Sonoma
-
macOS 13 Ventura
Linux (for x86_64)
-
Red Hat: 10.x, 9.x, and 8.x
-
Ubuntu: 24.04 and 22.04
-
SUSE (SLES 15 (x86_64))
-
VPN: Limited support. Used only to install ISE Posture.
-
Not supported for Secure Firewall Posture or Network Visibility Module.
-
Linux (for ARM64)
-
Red Hat 9.x and 8.x
-
Ubuntu 24.04 and 22.04
See the Release Notes for Cisco Secure Client for OS requirements and support notes. See the Offer Descriptions and Supplemental Terms for licensing terms and conditions, and a breakdown of orderability and the specific terms and conditions of the various licenses.
See the Feature Matrix below for license information and operating system limitations that apply to Cisco Secure Client modules and features.
Supported Cryptographic Algorithms
The following table lists the cryptographic algorithms supported by Cisco Secure Client. The cryptographic algorithms and cipher suites are shown in the order of preference, most to least. This preference order is dictated by Cisco’s Product Security Baseline to which all Cisco products must comply. Note that the PSB requirements change from time to time so the cryptographical algorithms supported by subsequent versions of Secure Client will change accordingly.
TLS 1.3, 1.2, and DTLS 1.2 Cipher Suites (VPN)
Standard RFC Naming Convention |
OpenSSL Naming Convention |
---|---|
TLS_AES_128_GCM_SHA256 |
TLS_AES_128_GCM_SHA256 |
TLS_AES_256_GCM_SHA384 |
TLS_AES_256_GCM_SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
ECDHA-RSA-AES256-GCM-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
ECDHE-ECDSA-AES256-GCM-SHA384 |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
ECDHE-RSA-AES256-SHA384 |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
ECDHE-ECDSA-AES256-SHA384 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
DHE-RSA-AES256-SHA256 |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES256-GCM-SHA384 |
TLS_RSA_WITH_AES_256_CBC_SHA256 |
AES256-SHA256 |
TLS_RSA_WITH_AES_256_CBC_SHA |
AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
ECDHE-RSA-AES128-SHA256 |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
ECDHE-ECDSA-AES128-SHA256 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
DHE-RSA-AES128-GCM-SHA256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
|
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
DHE-RSA-AES128-SHA |
TLS_RSA_WITH_AES_128_GCM_SHA256 |
AES128-GCM-SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA256 |
AES128-SHA256 |
TLS_RSA_WITH_AES_128_CBC_SHA |
AES128-SHA |
TLS 1.2 Cipher Suites (Network Access Manager)
Standard RFC Naming Convention |
OpenSSL Naming Convention |
---|---|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
ECDHE-RSA-AES256-SHA |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA |
ECDHE-ECDSA-AES256-SHA |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |
DHE-DSS-AES256-GCM-SHA384 |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |
DHE-DSS-AES256-SHA256 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
DHE-RSA-AES256-SHA |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA |
DHE-DSS-AES256-SHA |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
ECDHE-RSA-AES128-SHA |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
ECDHE-ECDSA-AES128-SHA |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |
DHE-DSS-AES128-GCM-SHA256 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |
DHE-DSS-AES128-SHA256 |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA |
DHE-DSS-AES128-SHA |
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA |
ECDHE-RSA-DES-CBC3-SHA |
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA |
ECDHE-ECDSA-DES-CBC3-SHA |
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA |
EDH-RSA-DES-CBC3-SHA |
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA |
EDH-DSS-DES-CBC3-SHA |
TLS_RSA_WITH_3DES_EDE_CBC_SHA |
DES-CBC3-SHA |
DTLS 1.0 Cipher Suites (VPN)
Standard RFC Naming Convention |
OpenSSL Naming Convention |
---|---|
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |
DHE-RSA-AES256-SHA256 |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |
DHE-RSA-AES128-GCM-SHA256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |
DHE-RSA-AES128-SHA256 |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA |
DHE-RSA-AES128-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
AES256-SHA |
TLS_RSA_WITH_AES_128_CBC_SHA |
AES128-SHA |
IKEv2/IPsec Algorithms
Encyption
-
ENCR_AES_GCM_256
-
ENCR_AES_GCM_192
-
ENCR_AES_GCM_128
-
ENCR_AES_CBC_256
-
ENCR_AES_CBC_192
-
ENCR_AES_CBC_128
Pseudo Random Function
-
PRF_HMAC_SHA2_256
-
PRF_HMAC_SHA2_384
-
PRF_HMAC_SHA2_512
-
PRF_HMAC_SHA1
Diffie-Hellman Groups
-
DH_GROUP_256_ECP - Group 19
-
DH_GROUP_384_ECP - Group 20
-
DH_GROUP_521_ECP - Group 21
-
DH_GROUP_3072_MODP - Group 15
-
DH_GROUP_4096_MODP - Group 16
Integrity
-
AUTH_HMAC_SHA2_256_128
-
AUTH_HMAC_SHA2_384_192
-
AUTH_HMAC_SHA1_96
-
AUTH_HMAC_SHA2_512_256
License Options
Use of the Cisco Secure Client 5.1 requires that you purchase either a Premier or Advantage license. The license(s) required depends on the Secure Client features that you plan to use, and the number of sessions that you want to support. These user-based licenses include access to support, and software updates that align with general BYOD trends.
Secure Client 5.1 licenses are used with Cisco Secure Firewall Adaptive Security Appliances (ASA), Integrated Services Routers (ISR), Cloud Services Routers (CSR), and Aggregated Services Routers (ASR), as well as other non-VPN headends such as Identity Services Engine (ISE). A consistent model is used regardless of the headend, so there is no impact when headend migrations occur.
One or more of the following Cisco Secure licenses may be required for your deployment:
License |
Description |
---|---|
Advantage |
Supports basic Secure Client features such as VPN functionality for PC and mobile platforms (Secure Client and standards-based IPsec IKEv2 software clients), FIPS, basic endpoint context collection, and 802.1x Windows supplicant. |
Premier |
Supports all basic Secure Client Advantage features in addition to advanced features such as Network Visibility Module, clientless VPN, VPN posture agent, unified posture agent, Next Generation Encryption/Suite B, SAML, all plus services and flex licenses. |
VPN Only (Perpetual) |
Supports VPN functionality for PC and mobile platforms, clientless (browser-based) VPN termination on Secure Firewall ASA, VPN-only compliance and posture agent in conjunction with ASA, FIPS compliance, and next-generation encryption (Suite B) with Secure Client and third-party IKEv2 VPN clients. VPN only licenses are most applicable to environments wanting to use Secure Client exclusively for remote access VPN services but with high or unpredictable total user counts. No other Secure Client function or service (such as Cisco Umbrella Roaming, ISE Posture, Network Visibility module, or Network Access Manager) is available with this license. |
Advantage and Premier License
From the Cisco Commerce Workspace website, choose the service tier (Advantage or Premier) and the length of term (1, 3, or 5 year). The number of licenses that are needed is based on the number of unique or authorized users that will make use of Secure Client. Secure Client is not licensed based on simultaneous connections. You can mix Advantage and Premier licenses in the same environment, and only one license is required for each user.
Cisco Secure 5.1 licensed customers are also entitled to earlier AnyConnect releases.
Feature Matrix
Cisco Secure 5.1 modules and features, with their minimum release requirements, license requirements, and supported operating systems are listed in the following sections:
Cisco Secure Client Deployment and Configuration
Feature |
Miniumum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
Deferred Upgrades |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Windows Services Lockdown |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Update Policy, Software and Profile Lock |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Auto Update |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Pre-deployment |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Auto Update Client Profiles |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Cisco Secure Client Profile Editor |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
User Controllable Features |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes* |
AnyConnect VPN Core Features
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
SSL (TLS & DTLS), including Per App VPN |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
SNI (TLS & DTLS) |
n/a |
Advantage |
yes |
yes |
yes |
TLS Compression |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
DTLS fallback to TLS |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
IPsec/IKEv2 |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Split tunneling |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Dynamic Split Tunneling |
ASA 9.16 |
Advantage, Premier, or VPN-only |
yes |
yes |
no |
Enhanced Dynamic Split Tunneling |
ASA 9.16 |
Advantage |
yes |
yes |
no |
Both dynamic exclusion from and dynamic inclusion into a tunnel |
ASA 9.16 |
Advantage |
yes |
yes |
no |
Split DNS |
ASA 9.16 ASDM 7.16 |
Advantage |
Yes |
Yes |
No |
Ignore Browser Proxy |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Proxy Auto Config (PAC) file generation |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Internet Explorer Connections tab lockdown |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Optimal Gateway Selection |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Global Site Selector (GSS) compatibility |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Local LAN Access |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Tethered device access via client firewall rules, for synchronization |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Local printer access via client firewall rules |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
IPv6 |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Further IPv6 implementation |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Certificate Pinning |
no dependency |
Advantage |
yes |
yes |
yes |
Management VPN tunnel |
ASA 9.16 ASDM 7.16 |
Premier |
yes |
yes |
no |
Connect and Disconnect Features
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
Fast User Switching |
n/a |
n/a |
yes |
no |
no |
Simultaneous Clientless & Secure Client connections |
ASA 9.16 ASDM 7.16 |
Premier |
Yes |
Yes |
Yes |
Start Before Logon (SBL) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Run script on connect & disconnect |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Minimize on connect |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Auto connect on start |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Auto reconnect (disconnect on system suspend, reconnect on system resume) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Remote User VPN Establishment (permitted or denied) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Logon Enforcement (terminate VPN session if another user logs in) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Retain VPN session (when user logs off, and then when this or another user logs in) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Trusted Network Detection (TND) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Always on (VPN must be connected to access network) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Always on exemption via DAP |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Connect Failure Policy (Internet access allowed or disallowed if VPN connection fails) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Captive Portal Detection |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Captive Portal Remediation |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Enhanced Captive Portal Remediation |
no dependency |
Advantage |
yes |
yes |
no |
Dual-home Detection |
no dependency |
n/a |
yes |
yes |
yes |
Authentication and Encryption Features
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
Certificate only authentication |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
RSA SecurID /SoftID integration |
no dependency |
Advantage |
yes |
no |
no |
Smartcard support |
no dependency |
Advantage |
yes |
yes |
no |
SCEP (requires Posture Module if Machine ID is used) |
no dependency |
Advantage |
yes |
yes |
no |
List & select certificates |
no dependency |
Advantage |
yes |
no |
no |
FIPS |
no dependency |
Advantage |
yes |
yes |
yes |
SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF) |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Strong Encryption (AES-256 & 3des-168) |
no dependency |
Advantage |
Yes |
Yes |
Yes |
NSA Suite-B (IPsec only) |
ASA 9.16 ASDM 7.16 |
Premier |
yes |
yes |
yes |
Enable CRL check |
no dependency |
Premier |
yes |
no |
no |
SAML 2.0 SSO |
ASA 9.16 ASDM 7.16 |
Premier or VPN only |
yes |
yes |
yes |
Enhanced SAML 2.0 |
ASA 9.16 |
Premier or VPN only |
yes |
yes |
yes |
External Browser SAML Package for Enhanced Web Authentication |
ASA 9.16 ASDM 7.16 |
Premier or VPN only |
yes |
yes |
yes |
Multiple-certificate authentication |
ASA 9.16 ASDM 7.16 |
Advantage, Premier, or VPN only |
yes |
yes |
yes |
Interfaces
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
GUI |
ASDM 7.16 |
Advantage |
yes |
yes |
yes |
Command Line |
ASA 9.16 |
n/a |
yes |
yes |
yes |
API |
no dependency |
n/a |
yes |
yes |
yes |
Microsoft Component Object Module (COM) |
no dependency |
n/a |
yes |
no |
no |
Localization of User Messages |
no dependency |
n/a |
yes |
yes |
yes |
Custom MSI transforms |
no dependency |
n/a |
yes |
no |
no |
User-defined resource files |
no dependency |
n/a |
yes |
yes |
no |
Client Help |
ASA 9.16 ASDM 7.16 |
n/a |
yes |
yes |
no |
Secure Firewall Posture (Formerly HostScan) and Posture Assessment
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
Endpoint Assessment |
ASA 9.16 |
Premier |
yes |
yes |
yes |
Endpoint Remediation |
ASDM 7.16 |
Premier |
yes |
yes |
yes |
Quarantine |
no dependency |
Premier |
yes |
yes |
yes |
Quarantine status & terminate message |
ASA 9.16 ASDM 7.16 |
Premier |
yes |
yes |
yes |
Secure Firewall Posture Package Update |
ASA 9.16 ASDM 7.16 |
Premier |
yes |
yes |
yes |
Host Emulation Detection |
no dependency |
Premier |
yes |
no |
no |
OPSWAT v4 |
ASA 9.16 ASDM 7.16 |
Premier |
yes |
yes |
yes |
Disk Encryption |
ASA 9.17(1) ASDM 7.17(1) |
n/a |
yes |
yes |
yes |
AutoDART |
no dependency |
n/a |
yes |
yes |
yes |
ISE Posture
Feature |
Minimum Secure Client Release |
Minimum ASA/ASDM Release |
Minimum ISE Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|---|---|
ISE Posture CLI |
5.0.01xxx |
no dependency |
no dependency |
n/a |
yes |
no |
no |
Posture State Synchronization |
5.0 |
no dependency |
3.1 |
n/a |
yes |
yes |
yes |
Change of Authorization (CoA) |
5.0 |
ASA 9.16 ASDM 7.16 |
2.0 |
Advantage |
yes |
yes |
yes |
ISE Posture Profile Editor |
5.0 |
ASA 9.16 ASDM 7.16 |
no dependency |
Premier |
yes |
yes |
yes |
AC Identity Extensions (ACIDex) |
5.0 |
no dependency |
2.0 |
Advantage |
yes |
yes |
yes |
ISE Posture Module |
5.0 |
no dependency |
2.0 |
Premier |
yes |
yes |
yes |
Detection of USB mass storage devices (v4 only) |
5.0 |
no dependency |
2.1 |
Premier |
yes |
no |
no |
OPSWAT v4 |
5.0 |
no dependency |
2.1 |
Premier |
yes |
yes |
no |
Stealth Agent for Posture |
5.0 |
no dependency |
2.2 |
Premier |
yes |
yes |
no |
Continuous endpoint monitoring |
5.0 |
no dependency |
2.2 |
Premier |
yes |
yes |
no |
Next-generation provisioning and discovery |
5.0 |
no dependency |
2.2 |
Premier |
yes |
yes |
no |
Application kill and uninstall capabilities |
5.0 |
no dependency |
2.2 |
Premier |
yes |
yes |
no |
Cisco Temporal Agent |
5.0 |
no dependency |
2.3 |
ISE Premier |
yes |
yes |
no |
Enhanced SCCM approach |
5.0 |
no dependency |
2.3 |
Premier: Secure Client and ISE |
yes |
no |
no |
Posture policy enhancements for optional mode |
5.0 |
no dependency |
2.3 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Periodic probe interval in profile editor |
5.0 |
no dependency |
2.3 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Visibility into hardware inventory |
5.0 |
no dependency |
2.3 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Grace period for noncompliant devices |
5.0 |
no dependency |
2.4 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Posture rescan |
5.0 |
no dependency |
2.4 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Secure Client stealth mode notifications |
5.0 |
no dependency |
2.4 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Disabling UAC prompt |
5.0 |
no dependency |
2.4 |
Premier: Secure Client and ISE |
yes |
no |
no |
Enhanced grace period |
5.0 |
no dependency |
2.6 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Custom notification controls and revamp of remediation windows |
5.0 |
no dependency |
2.6 |
Premier: Secure Client and ISE |
yes |
yes |
no |
End-to-end agentless posture flow |
5.0 |
no dependency |
3.0 |
Premier: Secure Client and ISE |
yes |
yes |
no |
Network Access Manager
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
Core |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
no |
no |
Wired support IEEE 802.3 |
no dependency |
n/a |
yes |
no |
no |
Wireless support IEEE 802.11 |
no dependency |
n/a |
yes |
no |
no |
Pre-logon & Single Sign on Authentication |
no dependency |
n/a |
yes |
no |
no |
IEEE 802.1X |
no dependency |
n/a |
yes |
no |
no |
IEEE 802.1AE MACsec |
no dependency |
n/a |
yes |
no |
no |
EAP methods |
no dependency |
n/a |
yes |
no |
no |
FIPS 140-2 Level 1 |
no dependency |
n/a |
yes |
no |
no |
Mobile Broadband support |
ASA 9.16 ASDM 7.16 |
n/a |
yes |
no |
no |
IPv6 |
ASDM 9.0 |
n/a |
yes |
no |
no |
NGE and NSA Suite-B |
ASDM 7.16 |
n/a |
yes |
no |
no |
TLS 1.2 for VPN connectivity* |
no dependency |
n/a |
yes |
no |
no |
WPA3 Enhanced Open (OWE) and WPA3 Personal (SAE) support |
no dependency |
n/a |
yes |
no |
no |
ISE started support for TLS 1.2 in release 2.0. Network Access Manager and ISE will negotiate to TLS 1.0 if you have Cisco Secure Client with TLS 1.2 and an ISE release prior to 2.0. Therefore, if you use Network Access Manager and EAP-FAST with ISE 2.0 (or later) for RADIUS servers, you must upgrade to the appropriate release of ISE as well.
Incompatibility warning: If you are an ISE customer running 2.0 or higher, you must read this before proceeding!
The ISE RADIUS has supported TLS 1.2 since release 2.0, however there is a defect in the ISE implementation of EAP-FAST using TLS 1.2 tracked by CSCvm03681. The defect has been fixed in the 2.4p5 release of ISE.
If NAM is used to authenticate using EAP-FAST with any ISE releases that support TLS 1.2 prior to the above releases, the authentication will fail and the endpoint will not have access to the network.
Network Visibility Module
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
Network Visibility Module |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Adjustment to the rate at which data is sent |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Customization of NVM timer |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Broadcast and multicast option for data collection |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Creation of anonymization profiles |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Broader data collection and anonymization with hashing |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Support for Java as a container |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Configuration of cache to customize |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Periodic flow reporting |
ASDM 7.16 ASA 9.16 |
Premier |
yes |
yes |
yes |
Flow filter |
no dependency |
Premier |
yes |
yes |
yes |
Standalone NVM |
no dependency |
Premier |
yes |
yes |
yes |
Integration with Secure Cloud Analytics |
no dependency |
n/a |
yes |
no |
no |
Process Tree Hierarchy |
no dependency |
n/a |
yes |
yes |
yes |
Extension of Linux Kernel Capabilities |
no dependency |
n/a |
n/a |
n/a |
yes |
Secure Umbrella Module
Secure Umbrella Module |
Minimum ASA/ASDM Release |
Minimum ISE Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|---|
Secure Umbrella Module |
ASDM 7.16 ASA 9.16 |
ISE 2.0 |
Either Advantage or Premier Umbrella licensing is mandatory |
yes |
yes |
no |
Umbrella Secure Web Gateway |
no dependency |
no dependency |
n/a |
yes |
yes |
no |
OpenDNS IPv6 support |
no dependency |
no dependency |
n/a |
yes |
yes |
no |
For information on Umbrella licensing, see https://www.opendns.com/enterprise-security/threat-enforcement/packages/
ThousandEyes Endpoint Agent Module
Feature |
Minimum ASA/ASDM Release |
Minimum ISE Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|---|
Endpoint Agent |
no dependency |
no dependency |
n/a |
yes |
yes |
no |
Zero Trust Access Module
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOs |
Linux |
---|---|---|---|---|---|
Zero Trust Access Module |
no dependency |
n/a. Licensing is through Secure Acess |
yes |
yes |
no |
Customer Experience Feedback
Feature |
Minimum ASA/ASDM Release |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|---|
Customer Experience Feedback |
ASA 9.16 ASDM 7.16 |
Advantage |
yes |
yes |
no |
Diagnostic and Report Tool (DART)
Log Type |
License Required |
Windows |
macOS |
Linux |
---|---|---|---|---|
VPN |
Advantage |
yes |
yes |
yes |
Cloud Management |
n/a |
yes |
yes |
no |
Duo Desktop |
n/a |
yes |
yes |
no |
Endpoint Visibility Module |
n/a |
yes |
no |
no |
ISE Posture |
Premier |
yes |
yes |
yes |
Network Access Manager |
Premier |
yes |
no |
no |
Network Visibility Module |
Premier |
yes |
yes |
yes |
Secure Firewall Posture |
Premier |
yes |
yes |
yes |
Secure Endpoint |
n/a |
yes |
yes |
no |
ThousandEyes |
n/a |
yes |
yes |
no |
Umbrella |
n/a |
yes |
yes |
no |
Zero Trust Access Module |
n/a |
yes |
yes |
no |
Accessibility Recommendations
We are committed to enhancing accessibility and to providing a seamless experience for all users, by adhering to specific Voluntary Product Accessibility Template (VPAT) compliance standards. Our product is designed to integrate effectively with various accessibility tools, ensuring it is both user-friendly and accessible to individuals with specific needs.
JAWS Screen Reader
For Windows users, we recommend using the JAWS screen reader and its capabilities to assist those with disabilities. JAWS (Job Access with Speech) is a powerful screen reader that provides audio feedback and keyboard shortcuts for users with visual impairments. It allows users to navigate through applications and websites using speech output and braille displays. By integrating with JAWS, our product ensures that visually impaired users can efficiently access and interact with all features, enhancing their overall productivity and user experience.
Windows Operating System Accessibility Tools
Windows Magnifier
The Windows Magnifier tool allows users to enlarge on-screen content, improving visibility for those with low vision. Users can zoom in and out easily, ensuring that text and images are clear and readable.
On Windows, set your display resolution to at least 1280px x 1024px. You can zoom to 400% by changing the Scaling on Display setting and view one or two module tiles in Secure Client. To zoom in above 200%, the Secure Client Advanced Window contents may not be fully available (depending on your monitor size). We do not support Reflow, which is typically used on content-based web pages and publications and also known as Responsive Web Design.
Invert Colors
The invert colors feature provides contrast themes (aquatic, dusk, and night sky) and Windows custom themes. The user needs to change Contrast Theme in the Windows setting to apply high contrast mode to Secure Client and make it easier for those with certain visual impairments to read and interact with on-screen elements.