Skip to main content

Cisco Licensing and SecureAuth compatibility

AnyConnect Mobile license

The mobile license is compatible with both the Premium and Essentials license, and will work with mobile devices and SecureAuth the same way based on the information below.

In order for SecureAuth to be deployed behind the ASA leveraging the clientless SSL features, the ASA would require a premium license.

SecureAuth has been successfully deployed in many customer environments that are running AnyConnect Essentials. The difference in the integration is the user experience. With the Premium license a user can point their browser to the ASA and the session will automatically land on the enrollment profile or map to the access profile, all within the browser. The Premium license is required to enable the clientless features.

With the Essentials license all clientless features are disabled. You can still log in to the SSL VPN from a web page, but the ASA will force the launch of AnyConnect. Even if you have a Premium license installed on the ASA, Essentials will disable the clientless features. Essentials supersedes the Premium license.

The effect of the Essentials license is a change to the user experience.

A user that connects without a valid certificate can still land on a profile that is configured for enrollment, but AnyConnect will automatically send the Homepage URL to the default browser, which means the users browser will pop open after the client installs, and would point to SecureAuth _through_ the AnyConnect tunnel. Some customers do not like having the browser open automatically and feel that it is a confusing user experience. Instead of launching the Homepage URL in the default browsers those customers will use a DAP policy to provide a message to the user that they must enroll/re-enroll for a valid certificate before they will be granted access. Lacking the clientless features, SecureAuth is made available via firewall rules and NAT on the ASA, or SecureAuth is deployed in a public DMZ so that users can more easily point their browser to SecureAuth for enrollment.

AnyConnect with either the Premium or Essentials license will still support the certificate + AAA authentication for which SecureAuth provides credentials.

In this section: