Mac OS X AnyConnect 3.1 - Support for multiple connection profiles?

avokeoperations · ‎09-26-2015

Hi all,

I'm using AnyConnect VPN client 3.1.07021 on Mac OS X Yosemite. No problems with connecting.

However, I have access to three different systems that I connect to, each of which is a different network - thus each has a different URL, authentication credential, and group. The field that holds the address in the to connect to (in the AnyConnect client) is a dropdown menu, which implies that multiple profiles might be saved there, and one chosen at the point of connection. However, it's unclear how this is done.

On Mac OS, the /opt/cisco/anyconnect/profile directory would appear to be where one could copy profile files. However, the required data in those files isn't clear. On connection, there is a transient profile file placed in /opt/cisco/anyconnect/.anyconnect_global and a slightly different file placed in ~/.anyconnect - but an attempt to copy these to the profile directory doesn't have any effect. It appears that the only file that is used for the data in the connection field is the file at ~/.anyconnect. The previous connection information is saved in these files, but there is no way to save additional profiles keyed by the connection target name or address.

Any information on how to solve this (I've reinstalled AnyConnect as part of this task) would be appreciated. Also, I've noticed references to a difference in behavior depending on how AnyConnect is installed: for this environment, AnyConnect was installed manually (the installer - OS X .pkg file - was downloaded and then executed normally). Java may not be installed nor may a browser be enabled to execute a Java application (due to our security policy) on these workstations. The application was installed with administrative rights (as is presumably required), however.

Many thanks in advance for any guidance!

Marvin Rhoads · ‎09-27-2015

Multiple profiles can be used with AnyConnect 3.1 and OS X. You are correct that they are stored in /opt/cisco/anyconnect/profile.

Normally profiles are created in the ASA head end and automatically deployed to clients upon initial connection (and updated during subsequent connections as applicable). However, they are optional and most basic remote access VPN features can be used with or without a profile.

Each profile is a small XML file telling the client (at a minimum) gateway address. If you don't have any to work from and copy locally to suit your needs, you can use the standalone AnyConnect Profile editor and build one.

Or, if you're more adventurous, build one by hand. Here's an example one - just substitute the information for the ASA address and (optionally) name. save it as <unique profile name>.xml and put it in the directory mentioned above. One profile per connection.

<?xml version="1.0" encoding="UTF-8"?>

<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStoreOverride>false</CertificateStoreOverride>

<ProxySettings>Native</ProxySettings>

<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>

<LocalLanAccess UserControllable="true">false</LocalLanAccess>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

</AutoReconnect>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>false</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Disable

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="false">false

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

</ClientInitialization>

<HostName>NAME_FOR_THE_DROPDOWN_LIST</HostName>

<HostAddress>YOUR_ASA_ADDRESS_OR_FQDN</HostAddress>

</HostEntry>

</ServerList>

</AnyConnectProfile>

avokeoperations · ‎09-27-2015

Thanks, Marvin. Very helpful!

This does work, but the only remaining question is whether there is a way to specify a different Username per connection. The schema for the document doesn't seem to allow this, perhaps there is another way?

Marvin Rhoads · ‎09-27-2015

Glad that bit worked for you.

Username is not stored per profile. There is a preferences XML file shared among the connection profiles (unless specifically prohibited by policy) that stores a single username value.

On Windows I know it's stored one level up in the directory tree. I don't have the AnyConnect admin guide in front of me but it tells you all the file names and where they're stored for the supported OS types.