Cisco Secure Client (including AnyConnect)

Microsoft-supported versions of Windows 11 for ARM64-based

Microsoft-supported versions of Windows 10 for ARM64-based PCs

Note: Initial CISCO SECURE CLIENT5.0 is Windows 10/11 Only. AnyConnect supports all the above. macOS 12, 11.2, 10.15, and 10.14 (all 64-bit)

Red Hat

Ubuntu

SUSE (SLES)

See mobile data sheet for Mobile OS support

• Downloads are available in the Cisco.com Software Center
• Technical support and software entitlement for Cisco Secure Client is included Premier and Advantage licensing
• The contract number must be linked to Cisco.com ID.

• Cisco Secure Client provides a choice of VPN protocols, so administrators can use whichever protocol best fits their business needs
• Tunneling support includes SSL (TLS 1.2 and DTLS 1.2) and next-generation IPsec IKEv2
• DTLS provides an optimized connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access
• TLS 1.2 (HTTP over TLS or SSL) helps ensure availability of network connectivity through locked-down environments, including those using web proxy servers
• IPsec IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require use of IPsec

• Designed for mobile users
• Can be configured so that the VPN connection remains established during IP address changes, loss of connectivity, or hibernation or standby
• With Trusted Network Detection, the VPN connection can automatically disconnect when an end user is in the office and connect when a user is at a remote location

• TLS/DTLS 1.2 strong ciphers supported
• Next-generation encryption, including NSA Suite B algorithms, ESPv3 with IKEv2, 4096-bit RSA keys, Diffie-Hellman group 24, and enhanced SHA2 (SHA-256 and SHA-384).
pplies only to IPsec IKEv2 connections. Premier (formerly AnyConnect Apex) is required

• Pre-deploy—New installations and upgrades are done either by the end user, or by using an enterprise Software Management System (SMS).
• Web Deploy—The Cisco Secure Client package is loaded on the headend, which is either a Secure Firewall ASA, Secure Firewall Threat Defense, or an ISE server. When the user connects to a firewall or to ISE, Cisco Secure Client is deployed to the client.
• XDR and Cisco Secure Client Cloud Management: Cisco Secure Client 5.0 can be deployed from the cloud using customizable deployment options.

• SAML 2.0 with Embedded or Native Browser (SSO)
• RADIUS
• LDAP
• Certificate
• TACACS+
• HTTP Form

Headend Methods

• AAA
• AAA and Certificate
• Certificate Only
• SAML
• Multiple Certificates and AAA
• Multiple Certificates

• Full-tunnel client mode supports remote-access users requiring a consistent LAN-like user experience
• Multiple delivery methods help ensure broad compatibility of AnyConnect
• User may defer client software updates if configured by the Administrator

• Policies can be preconfigured or configured locally and can be automatically updated from the VPN security gateway
• API for AnyConnect eases deployments through webpages or applications
• Checking and user warnings are issued for untrusted certificates

• Public connectivity to and from IPv4 and IPv6 networks
• Access to internal IPv4 and IPv6 network resources
• Administrator-controlled split-tunneling (Network and Dynamic (domain) and full tunnel network access policy
• Access control policy using Dynamic Access Polices or the identity Services Engine
• Per-app VPN policy for Apple iOS, Google Android, and Samsung Knox

IP address assignment mechanisms:

• Static
• Internal pool
• Dynamic Host Configuration Protocol (DHCP)
• RADIUS/Lightweight Directory Access Protocol (LDAP)

• Endpoint posture assessment and remediation is supported for wired and wireless environments (replacing the Cisco Identity Services Engine NAC Agent). Requires Identity Services Engine (ISE) with Identity Services Engine Premier license
• ISE Posture (working in conjunction with ISE) and Host Scan (VPN only) seeks to detect the presence of anti-malware software, Windows service packs/ patching state, and range of other software services on the endpoint system prior to granting network access
• Administrators also have the option of defining custom posture checks based on the presence of running processes
• ISE Posture and Host Scan can detect the presence of a watermark on a remote system. The watermark can be used to identify assets that are corporate owned and provide differentiated access as a result. The watermark-checking capability includes system registry values, file existence matching a required CRC32 checksum, and a range of other capabilities. Additional capabilities are supported for out-of-compliance applications

• Provides added protection for split-tunneling configurations
• Used in conjunction with the AnyConnect module and Cisco Secure Client to allow for local-access exceptions (for example, printing, tethered device support, and so on)
• Supports port-based rules for IPv4 and network and IP Access Control Lists (ACLs) for IPv6
• Available for Windows and macOS platforms

• cs-CZ Czech (Czech Republic)
• de-DE German (Germany)
• es-ES Spanish (Spain)
• fr-CA French (canada)
• fr-FR French (france)
• hu-HU Hungarian (Hungary)
• it-IT Italian (Italy)
• ja-JP Japanese (Japan)
• ko-KR Korean (Korea)
• nl-NL Dutch (Netherlands)
• pl-PL Polish (Poland)
• pt-BR Portuguese (Brazil)
• ru-RU Russian (Russia)
• zh-CN Chinese (China)
• zh-HANS Chinese (Simplified)
• zh-HANT Chinese (Traditional)
• zh-TW Chinese (Taiwan)

• Administrators can automatically distribute software and policy updates from the headend security appliance thereby eliminating administration associated with client software updates. Cisco Secure Client 5 also offers Administrators the ability to deploy and manage via Client Management (available via Cisco XDR or standalone)
• Administrators can determine which capabilities to make available for end-user configuration
• Administrators can trigger an endpoint script at connect and disconnect times when domain login scripts cannot be utilized
• Administrators can fully customize and localize end-user visible messages

• AnyConnect policies may be customized directly from Cisco Adaptive Security Device Manager (ASDM)
• Stand-alone Profile Editor
• XDR Client Management or Cisco Secure Client Cloud Management: The profile configuration page includes settings for Cloud Management functionality and various client modules, such as ISE Posture, Network Visibility Module, Cisco Secure Endpoint, Customer Experience Feedback, and VPN

• On-device statistics and logging information are available
• Logs can be viewed on device
• Logs can be easily emailed to Cisco or an administrator for analysis

• The Umbrella Roaming Security module requires a subscription to the Umbrella Roaming Security service, which can be obtained through DNS Security Essentials, DNS Security Advantage, SIG Essentials, or SIG Advantage plans. This module offers DNS-layer security when no VPN is active. A Cisco Umbrella subscription enhances this with Intelligent Proxy capabilities. Additionally, Cisco Umbrella subscriptions offer features such as content filtering, multiple policy management, comprehensive reporting, Active Directory integration, and more. The same Umbrella Roaming Security module is utilized across all subscription plans
• Enforce security for roaming devices when the VPN is off
• Automatically block malware, phishing, and C2 callbacks on roaming devices
• Simplest way to protect devices anywhere they go
• Utilize endpoint redirection to enforce DNS-based security when the VPN is off or with split tunnels (applies to communication outside tunnel)

• Capture endpoint flows with detailed information about users, endpoints, applications, locations, and destinations
• Enable flexible collection settings for both on-premises and off-premise environments
• Monitor application usage to uncover potential behavioral anomalies
• Facilitate more informed network design decisions
• Share usage data with NetFlow analysis tools, such as Cisco Network Analytics

• Cisco Secure Client 5 is a unified agent that integrates the functionalities of the former AnyConnect and AMP for Endpoints, now known as Cisco Secure Endpoint. In its initial release, available exclusively for Windows, administrators can leverage a single agent to deliver both Cisco Secure Client and Cisco Secure Endpoint functionalities through a unified client and user interface
• Extends endpoint threat services to remote endpoints, increasing endpoint threat coverage
• Provides more proactive protection to further assure an attack is mitigated at the remote endpoint quickly

• Licensed separately the Endpoint Agent is an application designed to collect performance data at both the network and application layers when users access specific websites within monitored networks
• This tool enhances customers’ ability to gain a comprehensive view of their application health, enabling them to make more informed decisions and resolve issues more swiftly
• When ThousandEyes is installed within the Secure Client, its version is displayed in the Secure Client About box upon detection

• Ethernet (IEEE 802.3)
• WI-FI (IEEE 802.11

• IEEE 802.1X-2001, 802.1X-2004, and 802.1X-2010
• Enables businesses to deploy a single 802.1X authentication framework to access both wired and wireless networks
• Manages the user and device identity and the network access protocols required for highly secure access
• Optimizes the user experience when connecting to a Cisco unified wired and wireless network

• WEP: (Wired Equivalent Privacy
• WPA: (Wi-Fi Protected Access)
• WPA2: Advanced Encryption Standard (AES) for encryption support
• WPA3: CCMP-128 and GCMP-256 support
• Enhanced Open: Provides unauthenticated data encryption to users, an improvement over traditional open networks with no protection at all. It is based on Opportunistic Wireless Encryption (OWE)

• RFC2716 (EAP-TLS) session resumption using EAP-TLS, EAP-FAST, EAPPEAP, and EAP-TTLS
• EAP-FAST stateless session resumption

• Media Access Control: IEEE 802.1AE (MACsec)
• Key management: MACsec Key Agreement (MKA)
• Defines a security infrastructure on a wired Ethernet network to provide data confidentiality, data integrity, and authentication of data origin. Safeguards communication between trusted components of the network

• Allows only a single connection to the network disconnecting all others
• No bridging between adapters
• Ethernet connections automatically take priority

• Supports “ends with” and “exact match” rules
• Support for more than 30 rules for servers with no name commonality

• Differentiates access based on enterprise and non-enterprise assets
• Validates users and devices in a single EAP transaction

• Helps ensure that users connect only to the correct corporate network
• Prevents users from connecting to a third-party access point to surf the Internet while in the office
• Prevents users from establishing access to the guest network
• Eliminates cumbersome blocked listing

• Supports the latest cryptographic standards
• Elliptic Curve Diffie-Hellman key exchange
• Elliptic Curve Digital Signature Algorithm (ECDSA) certificates

• Interactive user passwords or Windows passwords
• RSA SecurID tokens
• One-Time Password (OTP) tokens
• Smartcards (Axalto, Gemplus, SafeNet iKey, Alladin)
• X.509 certificates
• Elliptic Curve Digital Signature Algorithm (ECDSA) certificates

• When you see “Enrolled in Zero Trust Access” in the Cisco Secure Client Tile, it indicates that Zero Trust Access is enabled and running
• This access model focuses on knowing, understanding, and controlling who and what is on your network. By definitively identifying users, the appropriate level of access is granted based on their role or function, and the network rights associated with those roles
• Beyond the traditional AnyConnect VPN, Zero Trust Access offers more granular control and a secure user experience for a comprehensive network solution. Unlike VPNs, which may trust any entity that passes network control, the Zero Trust Access approach does not trust any user or device until it is verified. No one is automatically trusted; once verified, users are granted limited access and are subject to continuous re-verification
• This model extends the zero-trust principle beyond the network, reducing the attack surface by concealing applications from the internet and ensuring that only authenticated and authorized users can access network resources

• Supported on Windows 10 and 11 (TPM-enabled devices) and macOS 11, 12, 13, and 14
  (TPM-enabled devices)
• Windows devices must be running on systems that include Trusted Platform Module version 2.0
• macOS devices must be running on systems that include a Secure Enclave such as MacBook Pro computers with Touch Bar (2016 and 2017) that contain the Apple T1 chip
• Intel-based Mac computers that contain the Apple T2 Security chip, or Mac computers with Apple silicon
• You must have Windows WebView2 installed if you are going to use the Zero Trust Access Module, and you must deploy it out of band
• If you are pre-deploying Zero Trust Access on macOS 11 or greater, refer to Additional Duo Desktop Requirements on macOS 11 (and later) for additional requirements iOS/iPadOS 17.2 (or later)
• Samsung device running Android version 14+ and Samsung Knox 3.10 or higher