Cisco vs Tailscale: The Cisco AnyConnect Alternative
Tailscale is a great alternative to Cisco AnyConnect (now Cisco Secure Client) in providing comprehensive VPN solutions. There are major differences, such as Tailscale’s flat pricing compared to Cisco VPN pricing, underlying architecture, investment for initial setup, and commitments to hardware maintenance.
Tailscale is a preferred alternative to Cisco for both larger enterprise-grade organizations and smaller, personal uses, covering the same core needs like remote access VPN (RAVPN), business VPN, encryption, and multi-OS support. Let’s compare the features of each product so you can decide which one would work best for your use case.
Comparison matrix
Here’s a quick visual comparison of where Tailscale and Cisco AnyConnect stand on a feature-by-feature basis. We’ll dive more into each feature below.
| Tailscale | Cisco Secure Client | |
|---|---|---|
| Open source | Yes
Tailscale daemon and CLI tool, not the coordination server or GUI for proprietary OS |
No |
| Integrates with identity providers for single sign-on | Yes
Apple, Google, GitHub, Microsoft, Okta, OneLogin, and more with custom identity providers |
Yes |
| Connection type | Mesh-capable VPN | Client-server VPN |
| Encryption type | Node-to-node encryption using the WireGuard protocol | Encryption from client to server using TLS/DTLS (SSL VPN) and IKEv2/IPsec |
| Connection latency | Lower latency and higher throughput with peer-to-peer connections | The client-gateway model increases latency when the client and server are farther apart |
| ACLs and security policies? | Yes (central ACL policy, HuJason format, admins can use GitOPs to manage policy files) | Yes (central policy management via ISE) |
| Forward all traffic through gateway? | Optional (exit nodes) | Optional (via centralized configuration) |
| Auditing and logging? | Yes | Yes |
| Pricing? | Simple and predictable with flat pricing per user | Licensing per user or concurrent user with added costs for hardware, support contracts, additional modules, etc. |
What is the difference between Cisco AnyConnect vs Cisco Secure Client?
Cisco Secure Client is the new name for Cisco AnyConnect, including Cisco AnyConnect Secure Mobility Client. It is a rebranding effort and is the current official name for Cisco’s VPN offering. However, the community still commonly refers to Cisco’s VPN offering as AnyConnect.
Cisco AnyConnect overview
Cisco AnyConnect is a secure endpoint solution that provides VPN connectivity access to corporate networks and devices. It uses a traditional client-server VPN model that requires running a Cisco Adaptive Security Appliance (ASA) or a virtual appliance for cloud networks.
Cisco AnyConnect supports secure connectivity via Transport Layer Security/Secure Sockets Layer (TLS/SSL) and IPsec Internet Key Exchange version 2 (IKEv2). The AnyConnect software works across Windows, Mac, and Linux operating systems, although there isn’t feature parity across the board. It’s also available on a wide range of mobile devices, including iOS, Android, and Google ChromeOS.
AnyConnect supports a number of features, including auto-connect on start, fast user switching, and certificate pinning. It also supports a number of methods for ensuring endpoint security.
AnyConnect customers can also integrate other Cisco offerings, such as Umbrella, which provides DNS-layer security. However, such offerings require additional licensing, installation, and configuration.
Use cases for Cisco AnyConnect
Cisco AnyConnect is a general VPN solution for medium-to-large-sized organizations that need to offer remote connectivity to office workers, especially if there’s a pre-existing investment in Cisco networking hardware.
Via its cloud routers, Cisco also supports connectivity to off-premises networks, such as virtual networks hosted in cloud service providers like Amazon Web Services and Microsoft Azure. Companies can also leverage Cisco AnyConnect to connect to client or partner networks and to link servers that are located in disparate networks securely.
Tailscale overview
Tailscale is a great alternative to Cisco AnyConnect and its product family. Tailscale is a mesh-capable VPN solution that emphasizes ease of deployment and administration. Rather than connect to a VPN server as in a traditional client-server VPN model, Tailscale enables defining a peer-to-peer overlay mesh network called a tailnet, in which nodes on the network connect directly to one another.
Tailscale is built on WireGuard ®, a UDP-based VPN protocol that uses cryptographic keys for secure connectivity between clients. These WireGuard end-to-end encrypted tunnels form the decentralized Tailscale dataplane. This means that Tailscale VPN connections are “always on” and don’t drop when users are roaming or network connectivity is spotty. WireGuard uses state-of-the-art encryption protocols, including ChaCha20 for encryption and Poly1305 for authentication.
Tailscale enables secure connectivity among mesh members via a coordination server that serves as a repository for clients’ public keys. This serves as the control plane, which includes key exchange and coordinating device connections. These connections employ a custom Noise IK-based protocol with X25519 as described in RFC7748.
Tailscale has clients for all major operating systems and devices. Tailscale leaves authentication to the authentication experts with support for a number of authentication providers and protocols. Additionally, Tailscale supports a number of features that simplify VPN network configuration and lower administrative overhead.
Use cases for Tailscale
Tailscale is an excellent business VPN, remote access VPN. It excels at Cisco AnyConnect’s base use cases, like providing remote connectivity for employees who are working from home or traveling. It also supports connectivity to cloud networks and site-to-site connectivity.
Additionally, Tailscale makes it easy to establish ad-hoc connectivity on demand. For example, you can use Tailscale to share out a development server securely within your company, or make certain servers or SaaS services available to partners. This makes Tailscale a great alternative to Cisco VPN solutions.
Tailscale vs Cisco AnyConnect features compared
Let’s look at Cisco AnyConnect and Tailscale features one by one to see how they compare.
Tailscale vs Cisco setup and administration
Setting up Cisco AnyConnect can be an involved process. The client itself supports installation methods like via Web Deployment, Cisco’s SecureX Cloud Management Deployment system, or your organization’s software management service. However, there are further infrastructure requirements. An administrator needs to install and configure a VPN headend.
The infrastructure required to support Cisco VPNs is extensive. It generally requires hiring someone who’s certified in Cisco products to install, configure user and device access, and maintain. The necessary VPN headend can be an ASA firewall, a Cisco IOS router with VPN, or Cisco’s newer Secure Firewall or Umbrella Secure Access. Setup involves defining IP address pools, authentication methods, access rules, and installing SSL certificates on the server.
By contrast, Tailscale focuses on simplified installation and administration. There is no hardware to deploy. Tailscale maintains the coordination server to exchange users’ public keys. All you need to get started is to create a Tailscale account (often by logging in with Google/Microsoft), install the client on two devices, and they instantly form a private network. There’s no need to configure IP ranges, firewall rules, or NAT traversal – Tailscale handles all of that automatically.
Tailscale vs Cisco network management
AnyConnect supports options such as split tunneling, which enables sending only select traffic through the VPN tunnel, as well as split DNS. Cisco also supports dynamic split tunneling, which dynamically queries IP addresses for services with dynamic DNS mapping.
Tailscale also supports multiple DNS features, including split-tunneling. MagicDNS makes it easy for admins to assign short DNS names to IP addresses that resolve across the tailnet.
Tailscale also supports several features that are easier to implement than their Cisco AnyConnect counterparts. Subnet routers enable accessing cloud environments and devices without installing a cloud router or even the Tailscale client. And exit nodes make it easy for users to decide whether to route all traffic through a single node on the VPN network.
Tailscale vs Cisco authentication, ACLs, and endpoint protection
Cisco AnyConnect supports a range of authentication and endpoint protection options. Network Access Manager on Windows enables both Single Sign-On (SSO) and direct logon with existing Windows machine credentials. Secure Endpoint offers advanced endpoint protection across control points via active threat detection. The ISE Posture module enforces security policies on endpoints, ensuring their safety before they connect to the network.
Cisco VPN solutions typically enforce access policy at the gateway. Once connected, a user is often placed into a specific VPN pool or VLAN, and the ASA can apply ACLs to restrict what that VPN client can reach. Dynamic Access Policies (DAP) can change access rights on the fly based on user/device conditions.
Tailscale supports multiple authentication types, including OAuth2, OpenID Connect (OIDC), and multiple SSO identity providers, including Okta, OneLogin, Microsoft, Apple, and Google. Tailscale is designed to hold a minimum amount of your users’ Personally Identifiable Information (PII), which simplifies compliance and data governance. Meshes use end-to-end encryption between node points - Tailscale never sees (and cannot see) your data.
Tailscale approaches segmentation with an identity-based ACL system. Tailscale uses ACL files written in Human JSON for better readability and self-documentation. Administrators can specify policies per user and device name instead of IP addresses. Using groups and tags, administrators can implement Role-Based Access controls (RBACs) easily.
Rather than administrate security ACLs via a separate device, Tailscale admins can store ACLs in GitHub or GitLab and push to Tailscale securely via an API endpoint secured with an access token.
Tailscale vs Cisco VPN cost
Pricing for Cisco AnyConnect can vary widely. Cisco licenses the client itself on 12 to 60-month terms or via a perpetual license. Additional licensing applies for modules such as Umbrella and Posture Assessment. Hardware is an extra cost. You’ll have to pay for the purchase of ASAs and licensing of any applicable software. Remembering that the entire initial setup is complex, you will need to invest in an expert for the initial deployment. This extra startup cost is further compounded, you will incur recurring costs to further maintain the entire VPN infrastructure.
By contrast, Tailscale has flat pricing that is a straightforward charge per user. No hardware costs with networking appliances, and easy to set up yourself.
Tailscale vs Cisco AnyConnect: The bottom line
Cisco AnyConnect carries a large administrative overhead and upfront cost. By contrast, Tailscale offers comprehensive end-to-end security with easy setup, low administrative burden, and an easy-to-use client. If you’re looking for a Cisco AnyConnect alternative, Tailscale is your definitive choice, especially given Cisco VPN cost and pricing.
Want to see how easy it is to get up and running with Tailscale? Try it for free today.
