PDF(1.0 MB) View with Adobe Reader on a variety of devices
Updated:November 22, 2024
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document identifies the Cisco Secure Client release 5 features, license requirements, and endpoint operating systems that are supported in the Secure Client (including AnyConnect).
Supported Operating Systems
Cisco Secure Client 5 supports the following operating systems.
Windows
Windows 11 (64-bit)
Microsoft-supported versions of Windows 11 for ARM64-based PCs (Supported only in VPN client, DART, Secure Firewall Posture, Network Visibility Module, Umbrella Module, ISE Posture, and Zero Trust Access Module)
Windows 10 x86(32-bit) and x64 (64-bit)
macOS (64-bit only)
macOS 15 Sequoia
macOS 14 Sonoma
macOS 13 Ventura
Linux
Red Hat
– 9.x
–8.x*
* Except ISE Posture Module, which only supports 8.1 (and later).
Ubuntu
–24.04
–22.04
–20.04
SUSE (SLES)
–VPN: Limited support. Used only to install ISE Posture.
–Not supported for Secure Firewall Posture or Network Visibility Module.
–ISE Posture: 12.3 (and later) and 15.0 (and later)
See the Feature Matrix below for license information and operating system limitations that apply to Cisco Secure Client modules and features.
Supported Cryptographic Algorithms
The following table lists the cryptographic algorithms supported by Cisco Secure Client. The cryptographic algorithms and cipher suites are shown in the order of preference, most to least. This preference order is dictated by Cisco’s Product Security Baseline to which all Cisco products must comply. Note that the PSB requirements change from time to time so the cryptographical algorithms supported by subsequent versions of Secure Client will change accordingly.
Use of the Cisco Secure Client 5 requires that you purchase either a Premier or Advantage license. The license(s) required depends on the Secure Client features that you plan to use, and the number of sessions that you want to support. These user-based licenses include access to support and software updates to align with general BYOD trends.
Secure Client 5 licenses are used with Cisco Secure Firewall Adaptive Security Appliances (ASA), Integrated Services Routers (ISR), Cloud Services Routers (CSR), and Aggregated Services Routers (ASR), as well as other non-VPN headends such as Identity Services Engine (ISE). A consistent model is used regardless of the headend, so there is no impact when headend migrations occur.
One or more of the following Cisco Secure licenses may be required for your deployment:
License
Description
Advantage
Supports basic Secure Client features such as VPN functionality for PC and mobile platforms (Secure Client and standards-based IPsec IKEv2 software clients), FIPS, basic endpoint context collection, and 802.1x Windows supplicant.
Premier
Supports all basic Secure Client Advantage features in addition to advanced features such as Network, Visibility Module, clientless VPN, VPN posture agent, unified posture agent, Next Generation Encryption/Suite B, SAML, all plus services and flex licenses.
VPN Only (Perpetual)
Supports VPN functionality for PC and mobile platforms, clientless (browser-based) VPN termination on Secure Firewall ASA, VPN-only compliance and posture agent in conjunction with ASA, FIPS compliance, and next-generation encryption (Suite B) with Secure Client and third-party IKEv2 VPN clients. VPN only licenses are most applicable to environments wanting to use Secure Client exclusively for remote access VPN services but with high or unpredictable total user counts. No other Secure Client function or service (such as Cisco Umbrella Roaming, ISE Posture, Network Visibility module, or Network Access Manager) is available with this license.
Cisco Secure Client Advantage and Premier Licenses
From the Cisco Commerce Workspace website, choose the service tier (Advantage or Premier) and the length of term (1, 3, or 5 year). The number of licenses that are needed is based on the number of unique or authorized users that will make use of Secure Client. Secure Client is not licensed based on simultaneous connections. You can mix Advantage and Premier licenses in the same environment, and only one license is required for each user.
Cisco Secure 5 licensed customers are also entitled to earlier AnyConnect releases.
Features Matrix
Cisco Secure 5 modules and features, with their minimum release requirements, license requirements, and supported operating systems are listed in the following sections:
Auto reconnect (disconnect on system suspend, reconnect on system resume)
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
no
Remote User VPN Establishment (permitted or denied)
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
no
no
Logon Enforcement (terminate VPN session if another user logs in)
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
no
no
Retain VPN session (when user logs off, and then when this or another user logs in)
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
no
no
Trusted Network Detection (TND)
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
yes
Always on (VPN must be connected to access network)
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
no
Always on exemption via DAP
ASA 8.3(1)
ASDM 6.3(1)
Advantage
yes
yes
no
Connect Failure Policy (Internet access allowed or disallowed if VPN connection fails)
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
no
Captive Portal Detection
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
yes
Captive Portal Remediation
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
no
Enhanced Captive Portal Remediation
no dependency
Advantage
yes
yes
no
Dual-home Detection
no dependency
n/a
yes
yes
yes
Authentication and Encryption Features
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Certificate only authentication
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
yes
RSA SecurID /SoftID integration
Advantage
yes
no
no
Smartcard support
Advantage
yes
yes
no
SCEP (requires Posture Module if Machine ID is used)
Advantage
yes
yes
no
List & select certificates
Advantage
yes
no
no
FIPS
Advantage
yes
yes
yes
SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF)
ASA 8.0(4)
ASDM 6.4(1)
Advantage
yes
yes
yes
Strong Encryption (AES-256 & 3des-168)
Advantage
yes
yes
yes
NSA Suite-B (IPsec only)
ASA 9.0
ASDM 7.0
Premier
yes
yes
yes
Enable CRL check
n/a
Premier
yes
no
no
SAML 2.0 SSO
ASA 9.7.1
ASDM 7.7.1
Premier or VPN only
yes
yes
yes
Enhanced SAML 2.0
ASA 9.7.1.24 ASA 9.8.2.28 ASA 9.9.2.1
Premier or VPN only
yes
yes
yes
External Browser SAML Package for Enhanced Web Authentication
ASA 9.17.1 ASDM 7.17.1
Premier or VPN only
yes
yes
yes
Multiple-certificate authentication
ASA 9.7.1
ASDM 7.7.1
Advantage, Premier, or VPN only
yes
yes
yes
Interfaces
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
GUI
ASA 8.0(4)
ASDM 6.3(1)
Advantage
yes
yes
yes
Command Line
yes
yes
yes
API
yes
yes
yes
Microsoft Component Object Module (COM)
yes
no
no
Localization of User Messages
yes
yes
yes
Custom MSI transforms
yes
no
no
User defined resource files
yes
yes
no
Client Help
ASA 9.0
ASDM 7.0
yes
yes
no
Cisco Secure Client Modules
Secure Firewall Posture (Formerly HostScan) and Posture Assessment
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Endpoint Assessment
ASA 8.0(4)
ASDM 6.3(1)
Premier
yes
yes
yes
Endpoint Remediation
Premier
yes
yes
yes
Quarantine
Premier
yes
yes
yes
Quarantine status & terminate message
ASA 8.3(1)
ASDM 6.3(1)
Premier
yes
yes
yes
Secure Firewall Posture Package Update
ASA 8.4(1)
ASDM 6.4(1)
Premier
yes
yes
yes
Host Emulation Detection
Premier
yes
no
no
OPSWAT v4
ASA 9.9(1)
ASDM 7.9(1)
Premier
yes
yes
yes
Disk Encryption
ASA 9.17(1) ASDM 7.17(1)
yes
yes
yes
AutoDART
n/a
n/a
yes
yes
yes
ISE Posture
Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
Minimum ISE Release
License Required
Windows
macOS
Linux
ISE Posture CLI
5.0.01xxx
n/a
n/a
n/a
yes
no
no
Posture State Synchronization
5.0
n/a
3.1
n/a
yes
yes
yes
Change of Authorization (CoA)
4.0
ASA 9.2.1
ASDM 7.2.1
2.0
Advantage
yes
yes
yes
ISE Posture Profile Editor
4.0
ASA 9.2.1
ASDM 7.2.1
n/a
Premier
yes
yes
yes
AC Identity Extensions (ACIDex)
4.0
n/a
2.0
Advantage
yes
yes
yes
ISE Posture Module
4.0
n/a
2.0
Premier
yes
yes
yes
Detection of USB mass storage devices (v4 only)
4.3
n/a
2.1
Premier
yes
no
no
OPSWAT v4
4.3
n/a
2.1
Premier
yes
yes
no
Stealth Agent for posture
4.4
n/a
2.2
Premier
yes
yes
no
Continuous endpoint monitoring
4.4
n/a
2.2
Premier
yes
yes
no
Next-generation provisioning and discovery
4.4
n/a
2.2
Premier
yes
yes
no
Application kill and uninstall capabilities
4.4
n/a
2.2
Premier
yes
yes
no
Cisco Temporal Agent
4.5
n/a
2.3
ISE Premier
yes
yes
no
Enhanced SCCM approach
4.5
n/a
2.3
Premier: Secure Client and ISE
yes
no
no
Posture policy enhancements for optional mode
4.5
n/a
2.3
Premier: Secure Client and ISE
yes
yes
no
Periodic probe interval in profile editor
4.5
n/a
2.3
Premier: Secure Client and ISE
yes
yes
no
Visibility into hardware inventory
4.5
n/a
2.3
Premier: Secure Client and ISE
yes
yes
no
Grace period for noncompliant devices
4.6
n/a
2.4
Premier: Secure Client and ISE
yes
yes
no
Posture rescan
4.6
n/a
2.4
Premier: Secure Client and ISE
yes
yes
no
Secure Client stealth mode notifications
4.6
n/a
2.4
Premier: Secure Client and ISE
yes
yes
no
Disabling UAC prompt
4.6
n/a
2.4
Premier: Secure Client and ISE
yes
no
no
Enhanced grace period
4.7
n/a
2.6
Premier: Secure Client and ISE
yes
yes
no
Custom notification controls and revamp of remediation windows
4.7
n/a
2.6
Premier: Secure Client and ISE
yes
yes
no
End-to-end agentless posture flow
4.9
n/a
3.0
Premier: Secure Client and ISE
yes
yes
no
Network Access Manager
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Core
ASA 8.4(1)
ASDM 6.4(1)
Advantage
yes
no
no
Wired support IEEE 802.3
yes
Wireless support IEEE 802.11
yes
Pre-logon & Single Sign on Authentication
yes
IEEE 802.1X
yes
IEEE 802.1AE MACsec
yes
EAP methods
yes
FIPS 140-2 Level 1
yes
Mobile Broadband support
ASA 8.4(1)
ASDM 7.0
yes
IPv6
ASA 9.0
ASDM 7.0
yes
NGE and NSA Suite-B
yes
TLS 1.2 for VPN connectivity*
n/a
yes
no
no
WPA3 Enhanced Open (OWE) and WPA3 Personal (SAE) support
n/a
yes
no
no
* If you are using ISE as a RADIUS server, note the following guideline:
ISE started support for TLS 1.2 in release 2.0. Network Access Manager and ISE will negotiate to TLS 1.0 if you have Cisco Secure Client with TLS 1.2 and an ISE release prior to 2.0. Therefore, if you Network Access Manager and use EAP-FAST with ISE 2.0 (or later) for RADIUS servers, you must upgrade to the appropriate release of ISE as well.
Warning!
Incompatibility warning: If you are an ISE customer running 2.0 or higher you must read this before proceeding!
The ISE RADIUS has supported TLS 1.2 since release 2.0, however there is a defect in the ISE implementation of EAP-FAST using TLS 1.2 tracked by CSCvm03681. The defect has been fixed in the 2.4p5 release of ISE.
If NAM is used to authenticate using EAP-FAST with any ISE releases that support TLS 1.2 prior to the above releases, the authentication will fail and the endpoint will not have access to the network.
AMP Enabler
Feature
Minimum ASA/ASDM Release
Minimum ISE Release
License Required
Windows
macOS
Linux
AMP enabler
ASDM 7.4.2
ASA 9.4.1
ISE 1.4
Advantage
n/a
Yes
n/a
Network Visibility Module
Feature
Minimum ASA/ASDM Release
Minimum ISE Release
License Required
Windows
macOS
Linux
Network Visibility Module
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Premier
Yes
Yes
Yes
Adjustment to the rate at which data is sent
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Premier
Yes
Yes
Yes
Customization of NVM timer
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Premier
Yes
Yes
Yes
Broadcast and multicast option for data collection
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Premier
Yes
Yes
Yes
Creation of anonymization profiles
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Premier
Yes
Yes
Yes
Broader data collection and anonymization with hashing
We addressed specific Voluntary Product Accessibility Template (VPAT) compliance standards to benefit those who are disadvantaged and to drive productivity through digital transformation:
High contrast theme, which fixed invisible hyperlinks in the About dialog and tile title
Minimum contrast ratio which increased contrast by adjusting the text colors of the tile submenu and DART menu description
Keyboard navigation with Windows common shortcut keys (Tab, Enter, Spacebar)
Navigation and selection of Advanced Window with Menu buttons(using Up/Down and Left/Right arrow keys)
Keyboard access to Preference/About/DART windows from the Advanced Window
Keyboard navigation with PgUp/PgDn to expand/collapse the statistics group
Navigation and selection focus visibility for DART and Cisco Secure Client UIs
Mismatch between screen reader of log settings and JAWS announcement was adjusted
Mismatch between screen reader of DART encryption menu and JAWS announcement was adjusted
Appropriate JAWS announcement for label in name
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.