Solved: Re: Anyconnect features support on newest FTD code

borman.bravo · ‎01-05-2021

We have a client that wants to migrate their ASA 5525X AnyConnect configuration to an Firepower 2130 running on FTD code, they have these feature currently enabled for AnyConnect:

Dynamic Access Policies

Host Scan

SAML SSO

Last summer I had another customer with the same requirements and we found from a Cisco engineer and later on documentation that the features below were not supported on FTD 6.4 and there were no plans to develop support for the features described below:

Does anyone know if these features are still not supported in the newest FTD code? And are there any plans in the road map to support these features? Thank you

Currently unsupported on FTD, but available on ASA:

- Double AAA Authentication

- Dynamic Access Policy

- Host Scan

- ISE posture

- RADIUS CoA

- VPN load-balancer

- Local authentication

- LDAP attribute map

- AnyConnect customization

- AnyConnect scripts

- AnyConnect localization

- Per-app VPN

- SCEP proxy

- WSA integration

- SAML SSO

- Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN

- AnyConnect modules (NAM, Hostscan, AMP Enabler etc.) – DART is

installed by default

- TACACS, Kerberos (KCD Authentication and RSA SDI)

- Browser Proxy

Marvin Rhoads · ‎01-05-2021

The API support for DAP and Hostscan is limited to non-FMC managed FTD devices as of 6.7. The FMC 6.7 API does not currently have DAP or Hostscan support.

So you would need to have an FDM- or CDO-managed FTD and interact with it directly via the API using your own code.

FDM 6.7 API - DAP

View solution in original post

balaji.bandi · ‎01-05-2021

This is the latest release and supported feature mentioned in the release notes.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads · ‎01-05-2021

SAML SSO is supported as of FTD 6.7

DAP and Hostscan are not yet supported via the GUI although they are exposed via the REST API. We hope to see them in the 6.8 GUI this spring, but Cisco doesn't confirm the features in unreleased code until the last minute.

borman.bravo · ‎01-05-2021

Hi Marvin, could you please clarify what you mean by "although they are exposed via the REST API" can I configure and maintain these features (DAP and Hostscan) via the API tool for anyconnect? is this API on the FMC or FTD? thank you

Marvin Rhoads · ‎01-05-2021

The API support for DAP and Hostscan is limited to non-FMC managed FTD devices as of 6.7. The FMC 6.7 API does not currently have DAP or Hostscan support.

So you would need to have an FDM- or CDO-managed FTD and interact with it directly via the API using your own code.

FDM 6.7 API - DAP

Rob Ingram · ‎01-05-2021

@borman.bravo

double authentication, ISE posture, RADIUS CoA, SCEP proxy, anyconnect modules are all supported as of 6.7

VPN Load Balancer is planned, no timescales yet though.

borman.bravo · ‎01-05-2021

Thanks Rob, for "anyconnect modules are all supported as of 6.7" is this on the FMC or non-FMC managed?

Rob Ingram · ‎01-05-2021

@borman.bravo

Both, via FMC and FDM. Although if using FDM you have to use the API to upload the modules

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html