The Cisco® AnyConnect Secure Mobility Client consistently raises the bar in remote access technology by making the experience more seamless and more secure than ever. The AnyConnect Secure Mobility Client provides a secure connectivity experience across a broad set of PC- and smartphone-based mobile devices, such as the Apple iPhone. As mobile workers roam to different locations, an always-on intelligent VPN enables the AnyConnect Secure Mobility Client to automatically select the most optimal network access point and adapt its tunneling protocol to the most efficient method, such as Datagram Transport Layer Security (DTLS) protocol for latency-sensitive traffic, such as voice over IP (VoIP) traffic or TCP-based application access.
Built in web security and malware threat defense as part of the Cisco AnyConnect Secure Mobility Solution provides a choice to leverage either the premise-based Cisco IronPort® Web Security Appliance or cloud-based Cisco ScanSafe web security offerings for reliable and secure employee access to corporate resources. Secure mobility combines web security, malware threat defense, and remote access for a comprehensive and secure enterprise mobility solution. Consistent, context-aware security policies ensure a protected and productive work environment.
Robust posture assessment capabilities protect the integrity of the corporate network by restricting VPN access based on an endpoint's security posture. Prior to establishing connectivity, a system may be validated for compliance with various antivirus, personal firewall, or antispyware products, and may undergo additional system checks. An advanced endpoint assessment option is available to automate the process of remediating out-of-compliance endpoint security applications.
In addition to industry-leading VPN capabilities, the Cisco AnyConnect Secure Mobility Client enables IEEE 802.1X capability, providing a single authentication framework to manage user and device identity, as well as the network access protocols required to move smoothly from wired to wireless networks. Consistent with its VPN functionality, the Cisco AnyConnect Secure Mobility Client supports IEEE 802.1AE (MACsec) for data confidentiality, data integrity, and data origin authentication on wired networks, safeguarding communication between trusted components of the network.
AnyConnect Secure Mobility Client Modules
The Cisco AnyConnect Secure Mobility Client is a lightweight, highly modular security client providing easily customizable capabilities based on the individual needs of the business. Features such as VPN, 802.1X, and Secure Mobility for ScanSafe are available in separately deployable modules, allowing organizations to select the features and functionality most applicable to their secure connectivity needs. This keeps AnyConnect nimble and operationally efficient, while providing maximum flexibility and benefit to the organization.
Features and Benefits
Table 1 lists the features and benefits of the Cisco AnyConnect Secure Mobility Client.
Table 1. Features and Benefits
Remote-Access Virtual Private Networking (VPN)
Feature
Benefit
VPN Protocol Choice SSL (TLS and DTLS), and IPsec/IKEv2
New in AnyConnect 3.0
• AnyConnect now provides a choice of VPN protocols, allowing administrators to use whichever protocol best fits their business needs
• Tunneling support includes SSL (TLS and DTLS) and next-generation IPsec (IKEv2)
• DTLS provides an optimized connection for latency-sensitive traffic, such as VoIP traffic or TCP-based application access
• TLS (HTTP over TLS/SSL) ensures availability of network connectivity through locked-down environments, including those using web proxy servers
• IPsec/IKEv2 provides an optimized connection for latency-sensitive traffic when security policies require use of IPsec
Optimal Gateway Selection
• Determines and establishes connectivity to the most optimal network access point, eliminating the need for end users to determine the nearest location
Mobility-Friendly
• Designed for mobile users
• Can be configured so that the VPN connection remains established during IP address changes, loss of connectivity, and/or hibernation or standby
• Trusted Network detection enables the VPN connection to automatically disconnect when an end user is in the office and connect when a user is at a remote location
Encryption
• Supports strong encryption, including AES-256 and 3DES-168 (The head-end device must have a strong-crypto license enabled.)
Broad Operating System Support
• Windows 7 32-bit (x86) and 64-bit (x64)
• Windows Vista 32-bit (x86) and 64-bit (x64), including Service Packs 1 and 2 (SP1/SP2)
• XP SP2+ 32-bit (x86) and 64-bit (x64)
• Mac OS X 10.5 and 10.6.x
• Linux Intel (2.6.x kernel)
Cisco AnyConnect Mobile (requires optional AnyConnect Mobile license)
• Apple iOS 4
• Windows Mobile 5.0, 6.0, and 6.1 (Professional and Classic)
Wide Range of Deployment and Connection Options
Deployment options:
• Pre-deployment, including Microsoft Installer
• Automatic headend deployment (administrative rights are required for initial installation) via ActiveX (Windows only) and Java
Connection modes:
• Standalone via system icon
• Browser-initiated (Weblaunch)
• Clientless portal initiated
• CLI-initiated
• API-initiated
Wide Range of Authentication Options
• RADIUS
• RADIUS with Password Expiry (MSCHAPv2) to NT LAN Manager (NTLM)
• RADIUS one-time password (OTP) support (state/reply message attributes)
• RSA SecurID (including SoftID integration)
• Active Directory/Kerberos
• Embedded Certificate Authority (CA)
• Digital Certificate/Smartcard (including Machine Certificate support), auto- or user-selected
• Lightweight Directory Access Protocol (LDAP) with Password Expiry and Aging
• Generic LDAP support
• Combined certificate and username/password multifactor authentication (double authentication)
Ease of Client Administration
• Allows an administrator to automatically distribute software and policy updates from the head-end security appliance, thereby eliminating administration associated with client software updates
• Administrators can determine which capabilities to make available for end-user configuration
• Administrators can trigger an endpoint script at connect/disconnect time when domain login scripts cannot be utilized
• Administrators can fully customize and/or localize end-user visible messages
Consistent User Experience
• Full-tunnel client mode supports remote-access users requiring a consistent LAN-like user experience
• Multiple delivery methods help ensure broad compatibility of Cisco AnyConnect
• In conjunction with Cisco Secure Desktop, Host Scan verification checking seeks to detect the presence of antivirus software, personal firewall software, and Windows service packs on the endpoint system prior to granting network access
• Administrators also have the option of defining custom posture checks based on the presence of running processes
• Cisco Secure Desktop can detect the presence of a watermark on a remote system. The watermark can be used to identify assets that are corporate-owned and provide differentiated access as a result. The watermark-checking capability includes system registry values, file existence matching a required CRC32 checksum, IP address range matching, and certificate issued by/to matching
• An advanced endpoint assessment option is available to automate the process of repairing out-of-compliance applications
Advanced IP Network Connectivity
• Access to internal IPv4 and IPv6 network resources
• Centralized split-tunneling control for optimized network access
IP address assignment mechanisms:
• Static
• Internal pool
• Dynamic Host Configuration Protocol (DHCP)
• RADIUS/LDAP
Client Firewall Policy
• Added protection for Split Tunneling configurations
• Used in conjunction with Cisco Secure Mobility to allow for local access exceptions (e.g., printing, tethered device support, etc)
• Supports port-based rules for IPv4 and network/IP access control lists (ACLs) for IPv6
• Available for Windows XP SP2, Vista, and Windows 7, and Mac OS X
AnyConnect Profile Editor
• AnyConnect policies may be customized directly from Cisco Adaptive Security Device Manager (ASDM)
Secure Mobility
Cisco ScanSafe Integration
New in AnyConnect 3.0
• Uses Cisco ScanSafe, the largest global provider of SaaS web security, to keep malware off corporate networks and control and secure employee web usage
• Gives organizations flexibility and choice by supporting cloud-based services in addition to premise-based Cisco IronPort web security solutions
Cisco AnyConnect Secure Mobility (Premium or Cisco IronPort Web Security Appliance Secure Mobility license required)
• Enforces security policy in every transaction, independent of user location
• Requires always-on secure network connectivity with a policy to permit or deny network connectivity if access becomes unavailable
• Hotspot/Captive Portal Detection
• Optimized for use with the Cisco IronPort Web Security Appliance or Cisco ScanSafe services
Telemetry
New in AnyConnect 3.0
• Provides feedback from endpoints to the web filtering infrastructure using information about the origin of malicious content causing infections
• Enhances web security protection levels by working to strengthen the filtering algorithm, and improve the accuracy of the URL reputation database by analyzing and correlating the endpoint data
• Supported on Windows 7, Vista, and XP SP2+
Broad Operating System Support
• Windows 7 32-bit (x86) and 64-bit (x64)
• Windows Vista 32-bit (x86) and 64-bit (x64)
• XP SP2+ 32-bit (x86) and 64-bit (x64)
• Mac OS 10.5.x and 10.6.x (premise-based only)
Network Access Manager - 802.1X (New in AnyConnect 3.0)
IEEE 802.1X
• Enables businesses to deploy a single 802.1X authentication framework to access both wired and wireless networks
• Manages the user and device identity and the network access protocols required for secure access
• Optimizes the user experience when connecting to a Cisco unified wired and wireless network
IEEE 802.1AE (MACsec)
• Defines a security infrastructure on a wired Ethernet network to provide data confidentiality, data integrity, and authentication of data origin
• Safeguards communication between trusted components of the network
Media Support
• Wired Ethernet (IEEE 802.3)
• Wi-Fi (IEEE 802.11a, 802.11b, 802.11g, 802.11n)
Network Authentication
• IEEE 802.1X-2001, 802.1X-2004, and 802.1X-2010
Extensible Authentication Protocol (EAP) Methods
• EAP-Transport Layer Security (TLS)
• Lightweight EAP (LEAP)
• EAP-Message Digest 5 (MD5)
• EAP-Protected Extensible Authentication Protocol (PEAP) with the following inner methods:
• EAP-TLS
• EAP-MSCHAPv2
• EAP-GTC
• EAP-Flexible Authentication via Secure Tunneling (FAST) with the following inner methods:
• EAP-TLS
• EAP-MSCHAPv2
• EAP-GTC
• EAP-Tunneled TLS (TTLS) with the following inner methods:
Federal Information Processing Standard (FIPS) 140-2 Level 1 (Windows XP only)
• Requires purchase of separate drivers for a complete FIPS 140-2 Level 1 client solution
• Many popular Intel, Broadcom, and Atheros Wi-Fi chipsets supported
• FIPS mode includes support EAP-TLS, EAP-FAST and EAP-PEAP methods
Operating Systems Supported
• Windows 7 (32-bit and 64-bit)
• Windows Vista (32-bit and 64-bit)
• Windows XP SP2+ (32-bit)
• Windows Server 2003 (32-bit)
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org).
Platform Compatibility
The Cisco AnyConnect Secure Mobility Client is compatible with all Cisco ASA 5500 Series Adaptive Security Appliance models (running Cisco ASA Software Release 8.0.3 and later) and various Cisco IOS®Software-based routers. The Cisco AnyConnect Secure Mobility Client is not compatible with Cisco PIX® security appliances or Cisco VPN 3000 Series concentrators.
• Full Tunneling access to enterprise applications
AnyConnect Premium
• Includes clientless SSL VPN, Cisco Secure Desktop capabilities (including Host Scan), and support for Cisco AnyConnect Secure Mobility. Provides Essentials capabilities, including Full Tunneling access to enterprise applications
• License is based on number of simultaneous users, and is available as a single device or shared license
• For use with ScanSafe SaaS Web Security Services
• Extends the real-time protection and policy enforcement to roaming employees
FIPS 140-2 Level 1 Compliance
• ASA license allows use of a FIPS-compliant version of AnyConnect
Electronic License Delivery
Most licenses are available for electronic delivery; this significantly speeds up license fulfillment time. To order a license electronically, be sure to order part number(s) that begin with "L-."
Any Cisco SMARTnet customer may download the latest Cisco AnyConnect Secure Mobility Client software from Cisco.com, but a headend license is required in order to support more than two simultaneous connections. Please refer to the Cisco AnyConnect Secure Mobility Client Licensing Options section above for additional information on the available options.
