PDF(932.2 KB) View with Adobe Reader on a variety of devices
Updated:February 9, 2021
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
AnyConnect Secure Mobility Client Features, Licenses, and OSs, Release 4.9
This document identifies the AnyConnect release 4.9 features, license requirements, and endpoint operating systems that AnyConnect features support.
Supported Operating Systems
Cisco AnyConnect Secure Mobility Client 4.9 supports the following operating systems.
Operating System
Version
Windows
Microsoft-supported versions of Windows 10 for ARM64-based PCs (VPN client, DART, ISE posture, and HostScan)
Current Microsoft supported versions of Windows 10 x86(32-bit) and x64(64-bit)
Windows 8.1 x86(32-bit) and x64(64-bit)
Windows 8 x86(32-bit) and x64(64-bit)
Windows 7 SP1 x86(32-bit) and x64(64-bit)
macOS
macOS 11.x (64-bit), 10.15(64-bit), 10.14(64-bit), and macOS 10.13*
Linux
Red Hat 8.2, 7, and 6 (64-bit)
Ubuntu 20.04 (LTS), 18.04 (LTS), and 16.04 (LTS)(all 64-bit)
*To use AnyConnect with macOS 10.13 (High Sierra), you must follow a manual process to leverage AnyConnect’s complete capabilities. AnyConnect 4.5.02033 has warnings to guide you through the steps. During AnyConnect installation of 4.5.02033, you see a “System Extension Blocked” message that says that if you want to enable this kernel extension, you must open Security and Privacy System Preferences. By clicking OK at this message, a window pops up that details what attention is required to enable the system extension. The window prompts you to
Open Preferences and
Allow the Cisco system software in the Security & Privacy screen.
Note: Cisco no longer supports AnyConnect releases for Windows XP.
See the Feature Matrix below for license information and operating system limitations that apply to AnyConnect modules and features.
AnyConnect 4.3 (and later) has moved to the Visual Studio (VS) 2015 build environment and requires VS redistributable files for its Network Access Manager module functionality. These files are installed as part of the install package. You can use the.msi files to upgrade the Network Access Manager module to 4.3 (or later), but the AnyConnect Security Mobility Client must be upgraded first and running release 4.3 (or later).
Also, with the addition of the AnyConnect Umbrella Roaming Security Module, Microsoft.NET 4.0 is required.
Supported Cryptographic Algorithms
The following table lists the cryptographic algorithms supported by AnyConnect. The cryptographic algorithms and cipher suites are shown in the order of preference, most to least. This preference order is dictated by Cisco’s Product Security Baseline to which all Cisco products must comply. Note that the PSB requirements change from time to time so the cryptographical algorithms supported by subsequent versions of AnyConnect will change accordingly.
Use of the AnyConnect Secure Mobility Client 4.9 requires that you purchase either an AnyConnect Plus or AnyConnect Apex license. The license(s) required depends on the AnyConnect VPN Client and Secure Mobility features that you plan to use, and the number of sessions that you want to support. These user-based licenses include access to support and software updates to align with general BYOD trends.
AnyConnect 4.9 licenses are used with Cisco ASA 5500 Series Adaptive Security Appliances (ASA), Integrated Services Routers (ISR), Cloud Services Routers (CSR), and Aggregated Services Routers (ASR), as well as other non-VPN headends such as Identity Services Engine (ISE), Cloud Web Security (CWS), and Web Security Appliance (WSA). A consistent model is used regardless of the headend, so there is no impact when headend migrations occur.
One or more of the following AnyConnect licenses may be required for your deployment:
License
Description
AnyConnect Plus
Supports basic AnyConnect features such as VPN functionality for PC and mobile platforms (AnyConnect and standards-based IPsec IKEv2 software clients), FIPS, basic endpoint context collection, 802.1x Windows supplicant, and web security SSL VPN. Plus licenses are most applicable to environments previously served by the AnyConnect Essentials license and users of Network Access Manager or Web Security modules.
AnyConnect Apex
Supports all basic AnyConnect Plus features in addition to advanced features such as clientless VPN, VPN posture agent, unified posture agent, Next Generation Encryption/Suite B, SAML, all plus services and flex licenses. Apex licenses are most applicable to environments previously served by the AnyConnect Premium, Shared, Flex, and Advanced Endpoint Assessment licenses.
VPN Only (Perpetual)
Supports VPN functionality for PC and mobile platforms, clientless (browser-based) VPN termination on ASA, VPN-only compliance and posture agent in conjunction with ASA, FIPS compliance, and next-generation encryption (Suite B) with AnyConnect and third-party IKEv2 VPN clients. VPN only licenses are most applicable to environments wanting to use AnyConnect exclusively for remote access VPN services but with high or unpredictable total user counts. No other AnyConnect function or service (such as Web Security module, Cisco Umbrella Roaming, ISE Posture, Network Visibility module, or Network Access Manager) is available with this licensee.
AnyConnect Plus and Apex Licenses
From the Cisco Commerce Workspace website, choose the service tier (Apex or Plus) and the length of term (1, 3, or 5 year). The number of licenses that are needed is based on the number of unique or authorized users that will make use of AnyConnect. AnyConnect 4.9 is not licensed based on simultaneous connections. You can mix Apex and Plus licenses in the same environment, and only one license is required for each user.
AnyConnect 4.9 licensed customers are also entitled to earlier AnyConnect releases.
Features Matrix
AnyConnect 4.9 modules and features, with their minimum release requirements, license requirements, and supported operating systems are listed in the following sections:
* Ability to minimize AnyConnect on VPN connect, or block connections to untrusted servers
AnyConnect Core VPN Client
Core Features
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
SSL (TLS & DTLS), including Per App VPN
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
SNI (TLS & DTLS)
n/a
Plus
yes
yes
yes
TLS Compression
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
DTLS fallback to TLS
ASA 8.4.2.8
ASDM 6.3(1)
Plus
yes
yes
yes
IPsec/IKEv2
ASA 8.4(1)
ASDM 6.4(1)
Plus
yes
yes
yes
Split tunneling
ASA 8.0(x)
ASDM 6.3(1)
Plus
yes
yes
yes
Dynamic Split Tunneling
ASA 9.0
Plus, Apex, or VPN-only
yes
yes
no
Enhanced Dynamic Split Tunneling
ASA 9.0
Plus, Apex, or VPN-only
yes
yes
no
Split DNS
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Ignore Browser Proxy
ASA 8.3(1)
ASDM 6.3(1)
Plus
yes
yes
no
Proxy Auto Config (PAC) file generation
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Internet Explorer Connections tab lockdown
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Optimal Gateway Selection
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Global Site Selector (GSS) compatibility
ASA 8.0(4)
ASDM 6.4(1)
Plus
yes
yes
yes
Local LAN Access
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Tethered device access via client firewall rules, for synchronization
ASA 8.3(1)
ASDM 6.3(1)
Plus
yes
yes
yes
Local printer access via client firewall rules
ASA 8.3(1)
ASDM 6.3(1)
Plus
yes
yes
yes
IPv6
ASA 9.0
ASDM 7.0
Plus
yes
yes
no
Further IPv6 implementation
ASA 9.7.1
ASDM 7.7.1
Plus
yes
yes
yes
Certificate Pinning
no dependency
Plus, Apex, or VPN-only
yes
yes
yes
Management VPN tunnel
ASA 9.0
ASDM 7.10.1
Apex
yes
no
no
Connect and Disconnect Features
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Simultaneous Clientless & AnyConnect connections
ASA8.0(4)
ASDM 6.3(1)
Apex
yes
yes
yes
Start Before Logon (SBL)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Run script on connect & disconnect
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Minimize on connect
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Auto connect on start
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Auto reconnect (disconnect on system suspend, reconnect on system resume)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Remote User VPN Establishment (permitted or denied)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Logon Enforcement (terminate VPN session if another user logs in)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Retain VPN session (when user logs off, and then when this or another user logs in)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
no
no
Trusted Network Detection (TND)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Always on (VPN must be connected to access network)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Always on exemption via DAP
ASA 8.3(1)
ASDM 6.3(1)
Plus
yes
yes
no
Connect Failure Policy (Internet access allowed or disallowed if VPN connection fails)
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Captive Portal Detection
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Captive Portal Remediation
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
no
Enhanced Captive Portal Remediation
no dependency
Plus
yes
no
no
Authentication and Encryption Features
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Certificate only authentication
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
RSA SecurID /SoftID integration
Plus
yes
no
no
Smartcard support
Plus
yes
yes
no
SCEP (requires Posture Module if Machine ID is used)
Plus
yes
yes
no
List & select certificates
Plus
yes
no
no
FIPS
Plus
yes
yes
yes
SHA-2 for IPsec IKEv2 (Digital Signatures, Integrity, & PRF)
ASA 8.0(4)
ASDM 6.4(1)
Plus
yes
yes
yes
Strong Encryption (AES-256 & 3des-168)
Plus
yes
yes
yes
NSA Suite-B (IPsec only)
ASA 9.0
ASDM 7.0
Apex
yes
yes
yes
Enable CRL check
n/a
Apex
yes
no
no
SAML 2.0 SSO
ASA 9.7.1
ASDM 7.7.1
Apex or VPN only
yes
yes
yes
Enhanced SAML 2.0
ASA 9.7.1.24 ASA 9.8.2.28 ASA 9.9.2.1
Apex or VPN only
yes
yes
yes
Multiple-certificate authentication
ASA 9.7.1
ASDM 7.7.1
Plus, Apex, or VPN only
yes
yes
yes
Interfaces
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
GUI
ASA 8.0(4)
ASDM 6.3(1)
Plus
yes
yes
yes
Command Line
yes
yes
yes
API
yes
yes
yes
Microsoft Component Object Module (COM)
yes
no
no
Localization of User Messages
yes
yes
no
Custom MSI transforms
yes
no
no
User defined resource files
yes
yes
no
Client Help
ASA 9.0
ASDM 7.0
yes
yes
no
AnyConnect Network Access Manager
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Core
ASA 8.4(1)
ASDM 6.4(1)
Plus
yes
no
no
Wired support IEEE 802.3
yes
Wireless support IEEE 802.11
yes
Pre-logon & Single Sign on Authentication
yes
IEEE 802.1X
yes
IEEE 802.1AE MACsec
yes
EAP methods
yes
FIPS 140-2 Level 1
yes
Mobile Broadband support
ASA 8.4(1)
ASDM 7.0
yes
IPv6
ASA 9.0
ASDM 7.0
yes
NGE and NSA Suite-B
yes
TLS 1.2 for VPN connectivity*
n/a
yes
no
no
* If you are using ISE as a RADIUS server, note the following guideline:
ISE started support for TLS 1.2 in release 2.0. Network Access Manager and ISE will negotiate to TLS 1.0 if you have the AnyConnect 4.7 version with TLS 1.2 and an ISE release prior to 2.0. Therefore, if you upgrade AnyConnect Network Access Manager to 4.7 and use EAP-FAST with ISE 2.0 (or later) for RADIUS servers, you must upgrade to the 2.4p5 release of ISE.
AnyConnect Secure Mobility Modules
HostScan and Posture Assessment
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Endpoint Assessment
ASA 8.0(4)
ASDM 6.3(1)
Apex
yes
yes
yes
Endpoint Remediation
Apex
yes
yes
yes
Quarantine
Apex
yes
yes
yes
Quarantine status & terminate message
ASA 8.3(1)
ASDM 6.3(1)
Apex
yes
yes
yes
HostScan Package Update
ASA 8.4(1)
ASDM 6.4(1)
Apex
yes
yes
yes
Host Emulation Detection
Apex
yes
no
no
OPSWAT v4
ASA 9.9(1)
ASDM 7.9(1)
Apex
yes
yes
yes
ISE Posture
Feature
Minimum AnyConnect Release
Minimum ASA/ASDM Release
Minimum ISE Release
License Required
Windows
macOS
Linux
Change of Authorization (CoA)
4.0
ASA 9.2.1
ASDM 7.2.1
2.0
Plus
yes
yes
yes
ISE Posture Profile Editor
4.0
ASA 9.2.1
ASDM 7.2.1
n/a
Apex
yes
yes
yes
AC Identity Extensions (ACIDex)
4.0
n/a
2.0
Plus
yes
yes
yes
ISE Posture Module
4.0
n/a
2.0
Apex
yes
yes
no
Detection of USB mass storage devices (v4 only)
4.3
n/a
2.1
Apex
yes
no
no
OPSWAT v4
4.3
n/a
2.1
Apex
yes
yes
no
Stealth Agent for posture
4.4
n/a
2.2
Apex
yes
yes
no
Continuous endpoint monitoring
4.4
n/a
2.2
Apex
yes
yes
no
Next-generation provisioning and discovery
4.4
n/a
2.2
Apex
yes
yes
no
Application kill and uninstall capabilities
4.4
n/a
2.2
Apex
yes
yes
no
Cisco Temporal Agent
4.5
n/a
2.3
ISE Apex
yes
yes
no
Enhanced SCCM approach
4.5
n/a
2.3
AC Apex and ISE Apex
yes
no
no
Posture policy enhancements for optional mode
4.5
n/a
2.3
AC Apex and ISE Apex
yes
yes
no
Periodic probe interval in profile editor
4.5
n/a
2.3
AC Apex and ISE Apex
yes
yes
no
Visibility into hardware inventory
4.5
n/a
2.3
AC Apex and ISE Apex
yes
yes
no
Grace period for noncompliant devices
4.6
n/a
2.4
AC Apex and ISE Apex
yes
yes
no
Posture rescan
4.6
n/a
2.4
AC Apex and ISE Apex
yes
yes
no
AnyConnect stealth mode notifications
4.6
n/a
2.4
AC Apex and ISE Apex
yes
yes
no
Disabling UAC prompt
4.6
n/a
2.4
AC Apex and ISE Apex
yes
no
no
Enhanced grace period
4.7
n/a
2.6
AC Apex and ISE Apex
yes
yes
no
Custom notification controls and revamp of remediation windows
4.7
n/a
2.6
AC Apex and ISE Apex
yes
yes
no
End-to-end agentless posture flow
4.9
n/a
3.0
AC Apex and ISE Apex
yes
yes
no
Warning!
Incompatibility warning: If you are an ISE customer running 2.0 or higher you must read this before proceeding!
The ISE RADIUS has supported TLS 1.2 since release 2.0, however there is a defect in the ISE implementation of EAP-FAST using TLS 1.2 tracked by CSCvm03681. The defect has been fixed in the 2.4p5 release of ISE.
If NAM 4.7 (or later) is used to authenticate using EAP-FAST with any ISE releases that support TLS 1.2 prior to the above releases, the authentication will fail and the endpoint will not have access to the network.
Web Security
Feature
Minimum ASA/ASDM Release
License Required
Windows
macOS
Linux
Core
ASA 8.4(1)
ASDM 6.4(1)
Plus
Yes
Yes
yes
no
Cloud-Hosted Configuration
Secure Trusted Network Detection
ASA 8.4(1)
ASDM 7.0
Dynamic Configuration Elements
Fail Close / Fail Open Policy
AMP Enabler
Feature
Minimum ASA/ASDM Release
Minimum ISE Release
License Required
Windows
macOS
Linux
AMP enabler
ASDM 7.4.2
ASA 9.4.1
ISE 1.4
Plus
Yes
Yes
No
Network Visibility Module
Feature
Minimum ASA/ASDM Release
Minimum ISE Release
License Required
Windows
macOS
Linux
Network Visibility Module
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Apex
Yes
Yes
Yes
Adjustment to the rate at which data is sent
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Apex
Yes
Yes
Yes
Customization of NVM timer
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Apex
Yes
Yes
Yes
Broadcast and multicast option for data collection
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Apex
Yes
Yes
Yes
Creation of anonymization profiles
ASDM 7.5.1
ASA 9.5.1
no ISE dependency
Apex
Yes
Yes
Yes
Broader data collection and anonymization with hashing
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.