By default, AnyConnect downloads a new profile every time you connect. This is to ensure the profile, an xml file stored locally on the client, is up to date with the administrative settings. This is all well and fine, but if you do not have profiles setup for each of your connections, this will cause the user to manually input the connection details for the non-profiled connections.
There is a way around this however, which is on the client side. You create a new AnyConnect profile with only the Server List settings. This will allow for a drop down menu for each server connection, even if they do not have an associated xml profile on the headend. For example, ADMC Group is used below to connect to the ASA with a machine certificate only and has it’s own AnyConnect profile. AD User Pass and LOCAL User Pass are used for AD user authentication and ASA user authentication respectively, and are not currently using an associated AnyConnect XML file.
<?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ServerList> <HostEntry> <HostName>ADMC Group</HostName> <HostAddress>HQ-ASA.fcorp.org</HostAddress> <UserGroup>ADMC</UserGroup> </HostEntry> <HostEntry> <HostName>AD User Pass</HostName> <HostAddress>HQ-ASA.fcorp.org</HostAddress> <UserGroup>ADUP</UserGroup> </HostEntry> <HostEntry> <HostName>LOCAL User Pass</HostName> <HostAddress>HQ-ASA.fcorp.org</HostAddress> <UserGroup>LUP</UserGroup> </HostEntry> </ServerList> </AnyConnectProfile>
Place the created file in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile.
You also need to ensure you have a group-url defined for each connection on your ASA headend, which matches the <HostAddress> and <UserGroup> field. This is a case sensitive value. If this is incorrect, the connection will fail.
tunnel-group ADUP type remote-access tunnel-group ADUP general-attributes authentication-server-group MS_AD default-group-policy ADUP tunnel-group ADUP webvpn-attributes group-alias AD-USER-PASS enable group-url https://HQ-ASA.fcorp.org/ADUP enable
fcorp.org is a domain I own for internal testing. Please change your entries to those appropriate to your environment. This was tested using ASAv 9.8.2 and AnyConnect 4.5.00058 (Windows 10).