Cisco Secure Client vs. Tailscale

Tailscale and Cisco Secure Client (including AnyConnect) both provide comprehensive VPN solutions. But they differ in both their scope as well as the administrative lift required. In this article, we’ll compare the features of each product so you can decide which one would work best for your use case.

Comparison matrix

Here’s a quick visual comparison of where Tailscale and Cisco Secure Client stand on a feature-by-feature basis. We’ll dive more into each feature ‌below.

Tailscale Cisco Secure Client
Open source Yes

Clients but not coordination server

Integrates with identity providers for single sign-on Yes

(Google, Office 365/Azure AD, Okta, etc.)

Connection type Mesh-capable VPN Client-server VPN
Encryption type Node-to-node encryption between Tailscale agents Encryption from client to server (ASA or virtual appliance)
Connection latency Minimal (point-to-point) TBD
ACLs and security policies? Yes (central ACL policy) Yes (central policy management via ISE)
Forward all traffic through gateway? Optional (exit nodes) Optional (via centralized configuration)
Auditing and logging? Yes Yes
Pricing Free for individuals. Paid plans for teams and enterprise Per-user licenses for Cisco Secure Client as well as investment in Cisco VPN appliances or virtual routers; other licensing costs may apply

Cisco Secure Client overview

Cisco Secure Client is a secure endpoint solution that provides VPN connectivity access to corporate networks and devices. It uses a traditional client-server VPN model that requires running a Cisco Adaptive Security Appliance (ASA) or a virtual appliance for cloud networks. 

Cisco Secure Client supports secure connectivity via Transport Layer Security/Secure Sockets Layer (TLS/SSL) and IPsec Internet Key Exchange version 2 (IKEv2). The Secure Client software works across Windows, Mac, and Linux operating systems. (However, some client features are only available on certain OS’s.) It’s also available on a wide range of mobile devices, including iOS, Android, and Google ChromeOS. 

Secure Client supports a number of features including auto connect on start, fast user switching, and certificate pinning. It also supports a number of methods for ensuring endpoint security. 

Secure Client customers can also integrate other Cisco offerings, such as Umbrella, which provides DNS-layer security. However, such offerings require additional licensing, installation, and configuration.

Use cases for Cisco Secure Client

Cisco Secure Client is a general VPN solution for medium- to large-sized organizations that need to offer remote connectivity to office workers. It’s an attractive solution for companies with a pre-existing investment in Cisco networking hardware.

Via its cloud routers, Cisco also supports connectivity to off-premises networks, such as virtual networks hosted in cloud service providers like Amazon Web Services and Microsoft Azure. Companies can also leverage Cisco Secure Client to connect to client or partner networks and to link servers that are located in disparate networks securely.

Tailscale overview

In contrast to Cisco Secure Client and its product family, Tailscale is a mesh-capable VPN solution that emphasizes ease of deployment and administration. Rather than connect to a VPN server as in a traditional client-server VPN model, Tailscale enables defining a peer-to-peer mesh network called a tailnet, in which nodes on the network connect directly to one another. 

Tailscale is built on WireGuard ®, a UDP-based VPN protocol that uses cryptographic keys for secure connectivity between clients. This means that Tailscale VPN connections are “always on” and don’t drop when users are roaming or network connectivity is spotty. 

WireGuard uses state-of-the-art encryption protocols, including the Noise protocol framework and Curve25519. Tailscale enables secure connectivity among mesh members via a coordination server that serves as a repository for client’s public keys. 

Tailscale has clients for all major operating systems and devices. Rather than support authentication directly, Tailscale leaves authentication to the authentication experts with support for a number of authentication providers and protocols. Additionally, Tailscale supports a number of features that simplify VPN network configuration and lower administrative overhead.

Use cases for Tailscale

Tailscale and Cisco Secure Client overlap in their base use cases - i.e., providing remote connectivity for employees who are working from home or traveling. It also supports connectivity to cloud networks and site-to-site connectivity.

Additionally, Tailscale makes it easy to establish ad-hoc connectivity on demand. For example, you can use Tailscale to share out a development server secure within your company, or make certain servers or SaaS services available to partners.

Tailscale and Cisco Secure Client features compared

As promised, let’s look at Cisco Secure Client and Tailscale features one by one to see how they compare.


As a traditional client-server VPN product, Cisco Secure Client needs a stable TCP connection to retain connectivity to remote networks. Secure Client supports features such as connect on startup and auto-reconnect to keep users connected. 

However, there’s always a risk of connectivity dropouts over such TCP connections due to unstable network conditions. Additionally, Secure Client only allows connectivity for a single user on any machine at one time. On the flip side, Cisco Secure Client supports a sizable array of networking and encryption protocols.

Because Tailscale is UDP-based, it doesn’t face the same issues with connectivity with which Secure Client struggles. Tailscale connections are “always on” and are available the moment a device regains Internet connectivity. The underlying WireGuard protocol boasts enhanced security and performance compared with IPSec-based VPNs like Secure Client.

Setup and administration

In terms of setup, installing the Cisco Secure Client itself is straightforward. Cisco supports a number of installation options, including via Web Deployment, Cisco’s SecureX Cloud Management Deployment system, or your organization’s software management service. 

Of course, there’s still all the other setup you need to do in order to deploy a Cisco-enabled VPN solution on the ASA side. The infrastructure required to support Cisco VPNs is extensive. It generally requires hiring someone who’s certified in Cisco products to install, configure user and device access, and maintain. 

By contrast, Tailscale focuses on simplified installation and administration. Tailscale maintains the coordination server to exchange user’s public keys. All you need to get started is to create a Tailscale account, setup an identity provider, and add users to your Virtual Private Network.

Network management

Both Cisco Secure Client and Tailscale provide a robust set of features for managing connectivity within VPNs. Secure Client supports options such as split tunneling, which enables sending only select traffic through the VPN tunnel, as well as split DNS. Cisco also supports dynamic split tunneling, which dynamically queries IP addresses for services with dynamic DNS mapping. 

Tailscale also supports multiple DNS features, including split-tunneling. MagicDNS makes it easy for admins to assign short DNS names to IP addresses that resolve across the tailnet. 

Tailscale also supports several features that are easier to implement than their Cisco Secure Client counterparts. Subnet routers enable accessing cloud environments and devices without installing a cloud router or even the Tailscale client. And exit nodes make it easy for users to decide whether to route all traffic through a single node on the VPN network.

Authentication, ACLs, and endpoint protection

Cisco Secure Client supports a range of authentication and endpoint protection options. Network Access Manager on Windows enables both Single Sign-On (SSO) and direct logon with existing Windows machine credentials. 

Secure Client also offers a lot in the way of endpoint security. Secure Endpoint offers advanced endpoint protection across control points via active threat detection. The ISE Posture module enforces security policies on endpoints, ensuring their safety before they connect to the network. 

For additional security, you can manage ACLs using client IP addresses through your Cisco ASAs. 

Tailscale supports multiple authentication types, including OAuth2, OpenID Connect (OIDC), and multiple SSO identity providers, including Okta, OneLogin, Microsoft, Apple, and Google. including such as . Tailscale is designed to hold a minimum amount of your user’s Personally Identifiable Information (PII), which simplifies compliance and data governance. Meshes use end-to-end encryption between node points - Tailscale never sees (and cannot see) your data. 

For ACL management, Tailscale uses ACL files written in Human JSON for better readability and self-documentation. Administrators can specify policies per user and device name instead of IP addresses. Using groups and tags, administrators can implement Role-Based Access controls (RBACs) easily. 

Rather than administrate security ACLs via a separate device, Tailscale admins can store ACLs in GitHub or GitLab and push to Tailscale securely via an API endpoint secured with an access token.


Pricing for Cisco Secure Client with AnyConnect can vary widely. Cisco licenses the client itself on 12 to 60 month terms or via a perpetual license. Additional licensing applies for features such as Umbrella and Posture Assessment.

Additionally, you’ll have to pay for the purchase of ASAs and licensing of any applicable software. Pricing for ASAs ranges from $500 up to $7,000. Plus there’s the expense of paying an expert to set up and maintain the entire VPN infrastructure.

By contrast, Tailscale pricing is a straightforward charge per active user. We include 100 devices by default plus an additional number of devices per user (10 per user on Starter plan and 20 per user on our Premium plan). All of our paid plans support an unlimited number of users.

Cisco Secure Client vs. Tailscale: The bottom line

Cisco Secure Client is a good choice for enterprises with existing Cisco investment or companies desiring additional features, such as endpoint security. However, it carries a large administrative overhead and upfront cost. 

By contrast, Tailscale requires no up-front investment and has a flat, per-user licensing scheme. It offers comprehensive end-to-end security with easy setup, low administrative burden, and an easy-to-use client. 

Want to see how easy it is to get up and running with Tailscale? Try it for free today.

Get started with Tailscale today.

Get started for free.

Try Tailscale out for free on your own devices.