PDF(470.1 KB) View with Adobe Reader on a variety of devices
Updated:November 6, 2014
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
See the Feature Matrix below for license information and operating system limitations that apply to AnyConnect modules and features.
License Options
Use of the AnyConnect Secure Mobility Client 4.0 requires that you purchase either an AnyConnect Plus or AnyConnect Apex license. The license(s) required depends on the AnyConnect VPN Client and Secure Mobility features that you plan to use, and the number of sessions that you want to support. These user-based licenses include access to support and software updates to align with general BYOD trends.
AnyConnect 4.0 licenses are used with Cisco ASA 5500 Series Adaptive Security Appliances (ASA), Integrated Services Routers (ISR), Cloud Services Routers (CSR), and Aggregated Services Routers (ASR), as well as other non-VPN headends such as Identity Services Engine (ISE), Cloud Web Security (CWS), and Web Security Appliance (WSA). A consistent model is used regardless of the headend, so there is no impact when headend migrations occur.
One or more of the following AnyConnect licenses may be required for your deployment:
License
Description
AnyConnect Plus
Supports basic AnyConnect features such as VPN functionality for PC and mobile platforms (AnyConnect and standards-based IPsec IKEv2 software clients), FIPS, basic endpoint context collection, 802.1x Windows supplicant, and web security SSL VPN. Plus licenses are most applicable to environments previously served by the AnyConnect Essentials license and users of Network Access Manager or Web Security modules.
AnyConnect Apex
Supports all basic AnyConnect Plus features in addition to advanced features such as clientless VPN, VPN posture agent, unified posture agent, Next Generation Encryption/Suite B, all plus services and flex licenses. Apex licenses are most applicable to environments previously served by the AnyConnect Premium, Shared, Flex, and Advanced Endpoint Assessment licenses.
AnyConnect Plus and Apex Licenses
From the Cisco Commerce Workspace website, choose the service tier (Apex or Plus) and the length of term (1, 3, or 5 year). The number of licenses that are needed is based on the number of unique or authorized users that will make use of AnyConnect. AnyConnect 4.0 is not licensed based on simultaneous connections. You can mix Apex and Plus licenses in the same environment, and only one license is required for each user.
AnyConnect 4.0 licensed customers are also entitled to earlier AnyConnect releases.
Features Matrix
AnyConnect 4.0 modules and features, with their minimum release requirements, license requirements, and supported operating systems are listed in the following sections:
Tethered device access via client firewall rules, for synchronization
ASA 8.3(1)
ASDM 6.3(1)
Plus
yes
yes
yes
Local printer access via client firewall rules
ASA 8.3(1)
ASDM 6.3(1)
Plus
yes
yes
yes
IPv6
ASA 9.0
ASDM 7.0
Plus
yes
yes
no
Connect and Disconnect Features
Feature
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
Simultaneous Clientless & AnyConnect connections
ASA8.0(4)
ASDM 6.3(1)
Apex
yes
yes
yes
Start Before Logon (SBL)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Run script on connect & disconnect
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Minimize on connect
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Auto connect on start
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Auto reconnect (disconnect on system suspend, reconnect on system resume)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Remote User VPN Establishment (permitted or denied)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Logon Enforcement (terminate VPN session if another user logs in)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Retain VPN session (when user logs off, and then when this or another user logs in)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Trusted Network Detection (TND)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Always on (VPN must be connected to access network)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Always on exemption via DAP
ASA 8.3(1)
ASDM 6.3(1)
Plus
yes
yes
no
Connect Failure Policy (Internet access allowed or disallowed if VPN connection fails)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Captive Portal Detection
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Captive Portal Remediation
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Authentication and Encryption Features
Feature
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
Certificate only authentication
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
RSA SecurID /SoftID integration
Plus
yes
no
no
Smartcard support
Plus
yes
yes
no
SCEP (requires Posture Module if Machine ID is used)
Plus
yes
yes
no
List & select certificates
Plus
yes
no
no
FIPS
Plus
yes
yes
yes
SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF)
ASA 8.0(4)
ASDM 6.4(1)
Plus
yes
yes
yes
Strong Encryption (AES-256 & 3des-168)
Plus
yes
yes
yes
NSA Suite-B (IPsec only)
ASA 9.0
ASDM 7.0
Apex
yes
yes
yes
Interfaces
Feature
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
GUI
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Command Line
yes
yes
yes
API
yes
yes
yes
Microsoft Component Object Module (COM)
yes
no
no
Localization of User Messages
yes
yes
no
Custom MSI transforms
yes
no
no
User defined resource files
yes
yes
no
Client Help
ASA 9.0
ASDM 7.0
yes
yes
yes
AnyConnect Network Access Manager
Feature
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
Core
ASA 8.4(1)
ASDM 6.4(1)
Plus
yes
no
no
Wired support IEEE 802.3
yes
Wireless support IEEE 802.11
yes
Pre-logon & Single Sign on Authentication
yes
IEEE 802.1X
yes
IEEE 802.1AE MACsec
yes
EAP methods
yes
FIPS 140-2 Level 1
yes
Mobile Broadband support
ASA 8.4(1)
ASDM 7.0
yes
IPv6
ASA 9.0
ASDM 7.0
yes
NGE and NSA Suite-B
yes
AnyConnect Secure Mobility Modules
Hostscan and Posture Assessment
Feature
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
Endpoint Assessment
ASA 8.0(4)
ASDM 6.3(1)
Apex
yes
yes
yes
Endpoint Remediation
Apex
yes
yes
yes
Quarantine
Apex
yes
yes
yes
Quarantine status & terminate message
ASA 8.3(1)
ASDM 6.3(1)
Apex
yes
yes
yes
Hostscan Package Update
ASA 8.4(1)
ASDM 6.4(1)
Apex
yes
yes
yes
Host Emulation Detection
Apex
yes
no
no
ISE Posture
Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
Minimum ISE Release
License Required
Windows
Mac
Linux
Change of Authorization (CoA)
4.0
ASA 9.2.1
ASDM 7.2.1
1.4
Plus
yes
yes
yes
ISE Posture Profile Editor
4.0
ASA 9.2.1
ASDM 7.2.1
n/a
Apex
yes
yes
yes
AC Identity Extensions (ACIDex)
4.0
n/a
1.4
Plus
yes
yes
yes
ISE Posture Module
4.0
n/a
1.4
Apex
yes
yes
no
Web Security
Feature
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
Core
ASA 8.4(1)
ASDM 6.4(1)
Plus
Yes
Yes
yes
no
Cloud-Hosted Configuration
Secure Trusted Network Detection
ASA 8.4(1)
ASDM 7.0
Dynamic Configuration Elements
Fail Close / Fail Open Policy
Reporting and Troubleshooting Modules
Customer Experience Feedback
Feature
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
Customer Experience Feedback
ASA 8.4(1)
ASDM 7.0
Plus
yes
yes
no
Diagnostic and Report Tool (DART)
Log Type
Minimum ASA/ASDM Release
License Required
Windows
Mac
Linux
VPN
ASA 8.0(4)
ASDM 6.3(1)
Plus
Apex
yes
yes
yes
Network Access Manager
ASA 8.4(1)
ASDM 6.4(1)
yes
no
no
Posture Assessment
yes
yes
yes
Web Security
yes
yes
no
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.