Multiple AnyConnect profiles

By default, AnyConnect downloads a new profile every time you connect. This is to ensure the profile, an xml file stored locally on the client, is up to date with the administrative settings. This is all well and fine, but if you do not have profiles setup for each of your connections, this will cause the user to manually input the connection details for the non-profiled connections.

There is a way around this however, which is on the client side. You create a new AnyConnect profile with only the Server List settings. This will allow for a drop down menu for each server connection, even if they do not have an associated xml profile on the headend. For example, ADMC Group is used below to connect to the ASA with a machine certificate only and has it’s own AnyConnect profile. AD User Pass and LOCAL User Pass are used for AD user authentication and ASA user authentication respectively, and are not currently using an associated AnyConnect XML file.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 <ServerList>
   <HostEntry>
     <HostName>ADMC Group</HostName>
     <HostAddress>HQ-ASA.fcorp.org</HostAddress>
     <UserGroup>ADMC</UserGroup>
   </HostEntry>
   <HostEntry>
     <HostName>AD User Pass</HostName>
     <HostAddress>HQ-ASA.fcorp.org</HostAddress>
     <UserGroup>ADUP</UserGroup>
   </HostEntry> 
   <HostEntry>
    <HostName>LOCAL User Pass</HostName>
    <HostAddress>HQ-ASA.fcorp.org</HostAddress>
    <UserGroup>LUP</UserGroup>
   </HostEntry> 
 </ServerList>
</AnyConnectProfile>

Place the created file in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile.

You also need to ensure you have a group-url defined for each connection on your ASA headend, which matches the <HostAddress> and <UserGroup> field. This is a case sensitive value. If this is incorrect, the connection will fail.

tunnel-group ADUP type remote-access
tunnel-group ADUP general-attributes
  authentication-server-group MS_AD
  default-group-policy ADUP
tunnel-group ADUP webvpn-attributes
  group-alias AD-USER-PASS enable
  group-url https://HQ-ASA.fcorp.org/ADUP enable

fcorp.org is a domain I own for internal testing. Please change your entries to those appropriate to your environment.  This was tested using ASAv 9.8.2 and AnyConnect 4.5.00058 (Windows 10).

 

This entry was posted in AnyConnect, ASAv, Security, Windows. Bookmark the permalink.

Leave a Reply