cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2755
Views
20
Helpful
7
Replies

Anyconnect features support on newest FTD code

borman.bravo
Level 1
Level 1

We have a client that wants to migrate their ASA 5525X AnyConnect configuration to an Firepower 2130 running on FTD code, they have these feature currently enabled for AnyConnect:

 

Dynamic Access Policies

Host Scan

SAML SSO

 

Last summer I had another customer with the same requirements and we found from a Cisco engineer and later on documentation that the features below were not supported on FTD 6.4 and there were no plans to develop support for the features described below:

 

Does anyone know if these features are still not supported in the newest FTD code? And are there any plans in the road map to support these features? Thank you

 

Currently unsupported on FTD, but available on ASA:

 

- Double AAA Authentication

- Dynamic Access Policy

- Host Scan

- ISE posture

- RADIUS CoA

- VPN load-balancer

- Local authentication 

- LDAP attribute map

- AnyConnect customization

- AnyConnect scripts

- AnyConnect localization

- Per-app VPN

- SCEP proxy

- WSA integration

- SAML SSO

- Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN

- AnyConnect modules (NAM, Hostscan, AMP Enabler etc.) – DART is

installed by default

- TACACS, Kerberos (KCD Authentication and RSA SDI)

- Browser Proxy

1 Accepted Solution

Accepted Solutions

The API support for DAP and Hostscan is limited to non-FMC managed FTD devices as of 6.7. The FMC 6.7 API does not currently have DAP or Hostscan support.

So you would need to have an FDM- or CDO-managed FTD and interact with it directly via the API using your own code.

FDM 6.7 API - DAPFDM 6.7 API - DAP

View solution in original post

7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

This is the latest release and supported feature mentioned in the release notes.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads
Hall of Fame
Hall of Fame

SAML SSO is supported as of FTD 6.7

DAP and Hostscan are not yet supported via the GUI although they are exposed via the REST API. We hope to see them in the 6.8 GUI this spring, but Cisco doesn't confirm the features in unreleased code until the last minute.

Hi Marvin, could you please clarify what you mean by "although they are exposed via the REST API" can I configure and maintain these features (DAP and Hostscan) via the API tool for anyconnect? is this API on the FMC or FTD? thank you

The API support for DAP and Hostscan is limited to non-FMC managed FTD devices as of 6.7. The FMC 6.7 API does not currently have DAP or Hostscan support.

So you would need to have an FDM- or CDO-managed FTD and interact with it directly via the API using your own code.

FDM 6.7 API - DAPFDM 6.7 API - DAP

@borman.bravo 

double authentication, ISE posture, RADIUS CoA, SCEP proxy, anyconnect modules are all supported as of 6.7

VPN Load Balancer is planned, no timescales yet though.

Thanks Rob, for "anyconnect modules are all supported as of 6.7" is this on the FMC or non-FMC managed?

@borman.bravo 

Both, via FMC and FDM. Although if using FDM you have to use the API to upload the modules

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

Review Cisco Networking for a $25 gift card