The main reason for any company to migrate from Cisco IPsec client to Cisco AnyConnect client is due to the end-of-life announcement of IPsec client; along with new added features in AnyConnect.
- AnyConnect uses IKEv2. IKEv2 offers greater security and mobility capabilities when compared to the older IKEv1. Unlike IKEv1, IKEv2 is capable of supporting AnyConnect features such as HostScan and secure mobility.
- AnyConnect runs on port 443 so many firewalls will not interfere with traffic on AnyConnect vs an IPSEC software VPN.
- AnyConnect can be deployed in Smartphones, enabling the smart devices to securely connect to network.
- AnyConnect has location awareness feature that can be used to automatically connect to the nearest gateway based on user’s geographical location.
- SBL, Start Before Login. AnyConnect’s SBL feature can be used in scenarios where authentication always happens realtime, and credentials are not stored in chache. We can also automatically map/connect to a drive with this feature, before the user logins in.
- AnyConnect makes use of SSL and DTLS tunnel. The SSL-Tunnel is the TCP tunnel that is first created to the ASA. When it is fully established, the client will then try to negotiate a UDP DTLS-Tunnel. While the DTLS-Tunnel is being established, data can pass over the SSL-Tunnel. When the DTLS-Tunnel is fully established, all data now moves to the DTLS-tunnel and the SSL-tunnel is only used for occasional control channel traffic.
- AnyConnect supports Radius, LDAP, TACACS, Kerberos, NT Domain (NTLM), RSA/SDI, Local, and digital certificates, and a combination of AAA and certificates.