Currently we have an ASA and use Secure Client 5.1.8.105 and two profiles using Alia that authenticate via 2FA. To get the correct profile, split tunnel or full tunnel a use tacks the alias on to the URL and then connects, authenticates full 2FA and gets the appropriate profile and goes to work.

Trying to replicate this on an FTD using same versions of client, and 7.4.2 gold star, it fails when trying to add the alias with a No valid certificates available for authentication being logged before disconnect.

To block hackers and spammers, DefaultGroup is setup for DefaultWEbVPN and is sent to AAA in the sky, IOW a dead server. To avoid being hacked on our active profiles, the drop down is disabled on login.  Its the exact same setup as the ASA which works fine. 

I attempted to access this page since I managed via CDO, It's description states

Aliases —Provide an alternate name or URL for the connection profile. Remote Access VPN administrators can enable or disable the Alias names and Alias URLs. VPN users can choose an Alias name when they connect to the FTD device remote access VPN using the AnyConnect VPN client. Step 4: Click Save.

but the URL is https://edge.us.cdo.cisco.com/content/docs/t_configure_multiple_connection_profiles.html#!c-migrating-palo-alto-networks-firewall-to-multicloud-defense-with-the-firewall-migration-tool-in-cisco-defense-orchestrator.html and it directs to a Migration document for Palo Alto.  Cisco  web techs must be drunk.

It looked like what I need is the doc prior to redirection, but its doesn't stay up long enough to understand what it says. Where can I find the documentation to configure teh Secure Connect to work as it does on my ASA by adding the alias to the URL  

https://vpn.domain.com/mfa