Solved: Hide AnyConnect Profile

gilbert.aispuro1 · ‎10-03-2020

Hello all,

How do I hide Profiles from being selectable while connecting to the VPN?

I have 3 Connection Profiles and I only want to see one. The other two are for testing and I don't want my staff seeing those and getting confused.

gilbert.aispuro1 · ‎10-27-2020

So, I just removed the Mgmt tunnel AC profile in the headend, which fixed the issue. For some reason, when users would connect and update with the headend, it will populate the Mgmt tunnel profile in the wrong directory of "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\" which made it visible upon logging in. Since we're rolling the Mgmt tunnel profile via GPO, the headend doesn't need to update the users.

View solution in original post

balaji.bandi · ‎10-04-2020

You can edit the XML file and remove the FQDN which is not required so they do not get any pull down menu.

Generally file will be available in Local PC : depends on how environment, some time you can push centrally these settings.

C:\Users\<Windows User>\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\preferences.xml

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

gilbert.aispuro1 · ‎10-04-2020

I've tried removing my Mgmt Tunnel VPN's fqdn and that actually broke it. I added it back then it was able to auto connect again.

Marvin Rhoads · ‎10-04-2020

Change the configuration on the ASA side. for each connection profile (known as tunnel-group in the cli), there will be a section like this:

tunnel-group <profile name> webvpn-attributes
   group-alias <profile name> enable

Remove the group-alias sections to make them not appear in the dropdown list.

gilbert.aispuro1 · ‎10-04-2020

I have no alias configured for the Profiles but yet I still see the profiles upon connecting as an option.

I'm actually using FMC for my FTD 2110's.

Marvin Rhoads · ‎10-04-2020

My recommendation covers the initial display of profiles. @balaji.bandi 's recommendation covers whether or not they push to the client a persistent identification of the profile. If they ever did so, the profile must be manually deleted from the client computer. Profiles are stored in a C:\programdata subdirectory for Windows clients.

gilbert.aispuro1 · ‎10-04-2020

The thing is, I deleted all profiles, and when my management VPN profile kicks in when I log off, it then becomes an option to pick after that.

Marvin Rhoads · ‎10-04-2020

Can you share your remote access VPN configuration stanzas? (show run webvpn, group-policy and tunnel-group)

gilbert.aispuro1 · ‎10-27-2020

fp# sho run webvpn
webvpn
enable Outside
anyconnect-custom-attr dynamic-split-include-domains description traffic for these domains will be sent to the VPN headend
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/csm/anyconnect-win-4.8.03043-webdeploy-k9.pkg 1 regex "Windows"
anyconnect image disk0:/csm/anyconnect-macos-4.8.03043-webdeploy-k9.pkg 2 regex "Mac OS"
anyconnect profiles AC_Profile_Hostname disk0:/csm/AC_Profile_Hostname.xml
anyconnect profiles MPHC-VPN-IPsecProfile disk0:/csm/MPHC-VPN-IPsecProfile.xml
anyconnect profiles VpnMgmtTunProfile disk0:/csm/VpnMgmtTunProfile.xml
anyconnect enable
tunnel-group-list enable
cache
no disable

fp# sho run group-policy
group-policy DfltGrpPolicy attributes
dns-server value x
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-Split_Tunnel_Networks
default-domain value mphc.com
split-tunnel-all-dns enable
user-authentication-idle-timeout none
webvpn
anyconnect keep-installer none
anyconnect modules value dart
anyconnect ask none default anyconnect
http-comp none
activex-relay disable
file-entry disable
file-browsing disable
url-entry disable
deny-message none
group-policy .DefaultS2SGroupPolicy internal
group-policy .DefaultS2SGroupPolicy attributes
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev1 ikev2
group-policy MPHC_RA-GROUP-POLICY internal
group-policy MPHC_RA-GROUP-POLICY attributes
banner none
wins-server none
dns-server value x
dhcp-network-scope none
vpn-simultaneous-logins 1
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list value ACL-Split_Tunnel_Networks
default-domain value mphc.com
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol disable
vlan none
address-pools none
anyconnect-custom dynamic-split-include-domains value includeddomains
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 300
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules value dart
anyconnect profiles value AC_Profile_Hostname type user
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
group-policy AnyConnect_MGMT_Tunnel internal
group-policy AnyConnect_MGMT_Tunnel attributes
banner none
wins-server none
dns-server value x
dhcp-network-scope none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-Split_Tunnel_Networks
default-domain value mphc.com
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol enable
vlan none
address-pools value VPN-DHCP_Pool_2
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules value dart
anyconnect profiles value VpnMgmtTunProfile type user
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable
group-policy AnyConnect_CertVPN_Tunnel internal
group-policy AnyConnect_CertVPN_Tunnel attributes
banner none
wins-server none
dns-server value x
dhcp-network-scope none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ikev2
split-tunnel-policy tunnelspecified
ipv6-split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-Split_Tunnel_Networks
default-domain value mphc.com
split-dns none
split-tunnel-all-dns enable
client-bypass-protocol enable
vlan none
address-pools none
anyconnect-custom dynamic-split-include-domains value includeddomains2
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules value dart
anyconnect profiles value MPHC-VPN-IPsecProfile type user
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable

fp# sho run tunnel-group
tunnel-group MPHC-VPN type remote-access
tunnel-group MPHC-VPN general-attributes
address-pool VPN-DHCP_Pool
address-pool VPN-DHCP_Pool_2
authentication-server-group MPHC-AD
authorization-server-group MPHC-Radius
accounting-server-group MPHC-Radius
default-group-policy MPHC_RA-GROUP-POLICY
tunnel-group MPHC-VPN webvpn-attributes
group-alias MPHC-VPN enable
tunnel-group AnyConnect_MGMT_Tunnel type remote-access
tunnel-group AnyConnect_MGMT_Tunnel general-attributes
address-pool VPN-DHCP_Pool
address-pool VPN-DHCP_Pool_2
default-group-policy AnyConnect_MGMT_Tunnel
tunnel-group AnyConnect_MGMT_Tunnel webvpn-attributes
authentication certificate
group-url x enable
tunnel-group MPHC-Cert-VPN type remote-access
tunnel-group MPHC-Cert-VPN general-attributes
address-pool VPN-DHCP_Pool_2
tunnel-group MPHC-Cert-VPN webvpn-attributes
authentication certificate
group-alias Cert-VPN disable
tunnel-group MPHC-VPN-IPSec type remote-access
tunnel-group MPHC-VPN-IPSec general-attributes
address-pool VPN-DHCP_Pool_2
default-group-policy AnyConnect_CertVPN_Tunnel
tunnel-group MPHC-VPN-IPSec webvpn-attributes
authentication certificate
fp#

gilbert.aispuro1 · ‎10-27-2020

I also changed all tunnels to IKEv2, removed SSL settings. I removed the FQDN in the Management profile, and it still populates.

gilbert.aispuro1 · ‎10-27-2020

So, I just removed the Mgmt tunnel AC profile in the headend, which fixed the issue. For some reason, when users would connect and update with the headend, it will populate the Mgmt tunnel profile in the wrong directory of "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\" which made it visible upon logging in. Since we're rolling the Mgmt tunnel profile via GPO, the headend doesn't need to update the users.