topic Re: Anyconnect features support on newest FTD code in Network Security

Anyconnect features support on newest FTD code

borman.bravo — Tue, 05 Jan 2021 17:54:52 GMT

We have a client that wants to migrate their ASA 5525X AnyConnect configuration to an Firepower 2130 running on FTD code, they have these feature currently enabled for AnyConnect:

Dynamic Access Policies

Host Scan

SAML SSO

Last summer I had another customer with the same requirements and we found from a Cisco engineer and later on documentation that the features below were not supported on FTD 6.4 and there were no plans to develop support for the features described below:

Does anyone know if these features are still not supported in the newest FTD code? And are there any plans in the road map to support these features? Thank you

Currently unsupported on FTD, but available on ASA:

- Double AAA Authentication

- Dynamic Access Policy

- Host Scan

- ISE posture

- RADIUS CoA

- VPN load-balancer

- Local authentication

- LDAP attribute map

- AnyConnect customization

- AnyConnect scripts

- AnyConnect localization

- Per-app VPN

- SCEP proxy

- WSA integration

- SAML SSO

- Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN

- AnyConnect modules (NAM, Hostscan, AMP Enabler etc.) – DART is

installed by default

- TACACS, Kerberos (KCD Authentication and RSA SDI)

- Browser Proxy

Re: Anyconnect features support on newest FTD code

balaji.bandi — Tue, 05 Jan 2021 17:58:12 GMT

This is the latest release and supported feature mentioned in the release notes.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

Re: Anyconnect features support on newest FTD code

Marvin Rhoads — Tue, 05 Jan 2021 18:59:16 GMT

SAML SSO is supported as of FTD 6.7

DAP and Hostscan are not yet supported via the GUI although they are exposed via the REST API. We hope to see them in the 6.8 GUI this spring, but Cisco doesn't confirm the features in unreleased code until the last minute.

Re: Anyconnect features support on newest FTD code

borman.bravo — Tue, 05 Jan 2021 19:03:49 GMT

Hi Marvin, could you please clarify what you mean by "although they are exposed via the REST API" can I configure and maintain these features (DAP and Hostscan) via the API tool for anyconnect? is this API on the FMC or FTD? thank you

Re: Anyconnect features support on newest FTD code

Rob Ingram — Tue, 05 Jan 2021 19:05:51 GMT

@borman.bravo

double authentication, ISE posture, RADIUS CoA, SCEP proxy, anyconnect modules are all supported as of 6.7

VPN Load Balancer is planned, no timescales yet though.

Re: Anyconnect features support on newest FTD code

Marvin Rhoads — Tue, 05 Jan 2021 19:19:01 GMT

The API support for DAP and Hostscan is limited to non-FMC managed FTD devices as of 6.7. The FMC 6.7 API does not currently have DAP or Hostscan support.

So you would need to have an FDM- or CDO-managed FTD and interact with it directly via the API using your own code.

FDM 6.7 API - DAP

Re: Anyconnect features support on newest FTD code

borman.bravo — Tue, 05 Jan 2021 20:07:10 GMT

Thanks Rob, for "anyconnect modules are all supported as of 6.7" is this on the FMC or non-FMC managed?

Re: Anyconnect features support on newest FTD code

Rob Ingram — Tue, 05 Jan 2021 20:12:48 GMT

@borman.bravo

Both, via FMC and FDM. Although if using FDM you have to use the API to upload the modules

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html