AnyConnect - How to list more than one host on a Mac

mattfero1 · ‎11-01-2015

I use Cisco AnyConnect on a Mac to connect to more than one host. However, the AnyConnect client will only remember the host name and group for the last host to which was connected. (Apparently it does this by saving the information from the last connection in an invisible file in my home folder called ~/.anyconnect) How can I have the hostname popup list more than one server?

Karsten Iwen · ‎11-02-2015

1) If the ASA you want to connect to is under your control:

In ASDM go to Configuration -> Remote-Access VPN -> Network Client Access -> AnyConnect Client Profile

There you configure a Profile that specifies a Name for your connection and the fqdn/group. These profiles get pushed to the AnyConnect-clients when they connect.

2) If the ASA is not under your control, place a profile under /opt/cisco/anyconnect/profile

This profile has the following content (look at "Host-Entry" at the end):

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
 <ClientInitialization>
 <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
 <AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
 <ShowPreConnectMessage>false</ShowPreConnectMessage>
 <CertificateStore>All</CertificateStore>
 <CertificateStoreOverride>false</CertificateStoreOverride>
 <ProxySettings>Native</ProxySettings>
 <AllowLocalProxyConnections>true</AllowLocalProxyConnections>
 <AuthenticationTimeout>12</AuthenticationTimeout>
 <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
 <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
 <LocalLanAccess UserControllable="true">false</LocalLanAccess>
 <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
 <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
 <AutoReconnect UserControllable="false">true
 <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
 </AutoReconnect>
 <AutoUpdate UserControllable="false">true</AutoUpdate>
 <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
 <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
 <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
 <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
 <PPPExclusion UserControllable="false">Disable
 <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
 </PPPExclusion>
 <EnableScripting UserControllable="false">false</EnableScripting>
 <EnableAutomaticServerSelection UserControllable="false">false
 <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
 <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
 </EnableAutomaticServerSelection>
 <RetainVpnOnLogoff>false
 </RetainVpnOnLogoff>
 </ClientInitialization>
 <ServerList>
 <HostEntry>
 <HostName>Your VPN Name in AC Window</HostName>
 <HostAddress>vpn.example.com</HostAddress>
 <UserGroup>Your-VPN-Group</UserGroup>
 </HostEntry>
 </ServerList>
</AnyConnectProfile>

mattfero1 · ‎11-02-2015

Thank you for your reply Karsten.

In regards to your latter suggestion, I find an item named AnyConnectProfile.xsd in the folder /opt/cisco/anyconnect/profile. It looks like XML but all its entries start with <xs:

Do I add your profile as a separate document to this folder and, if so, what do I call it? I suppose the idea is to add to duplicate the entries for hostname, hostaddress, and Usergroup as needed for each server within a single profile file, correct?

Karsten Iwen · ‎11-02-2015

You have to copy the file as filename.xml into that directory. The .XSD is not modified.

It is possible to put multiple entries into one XML-file. But I think it's more "elegant" to use one file per customer/ASA. You could name them like the following:

CustomerA-ASA1.xml
CustomerA-ASA2.xml
CustomerB-ASA1.xml
...

mattfero1 · ‎11-08-2015

Thanks Karsten! I was able to get it to work by placing two XML files in /opt/cisco/anyconnect/profile/ like you said. However, for some reason I had to leave the <UserGroup> entry blank because it caused an error for both servers.