AnyConnect client profiles are downloaded to clients along with the VPN AnyConnect client software. These profiles define many client-related options, such as auto-connect on startup and auto-reconnect, and whether the end-user can change the option from the AnyConnect client preferences and advanced settings.

Apr 14, 2020 If you get the following error when connecting to a Cisco AnyConnect VPN from Windows, it's because the VPN establishment capability in the client profile doesn't allow connections from a remote desktop session. VPN establishment capability for a remote user is disabled. A VPN connection will not be established. Find and double click the downloaded file named 'anyconnect-win-4.5.XXXXXX.exe', where XXXXXX is the sub-version number of the installer. On the following screen titled 'Welcome to the Cisco AnyConnect Secure Mobility Client Setup Wizard', click Next. This feature called Auto Connect On Start, automatically establishes a VPN connection with the secure gateway specified by the VPN client profile when AnyConnect starts. Auto Connect On Start is disabled by default, requiring the user to specify or select a secure gateway.

If you configure a fully-qualified hostname (FQDN) for the outside interface when configuring the remote access VPN connection, the system creates a client profile for you. This profile enables the default settings. You must create and upload VPN AnyConnect client profiles only if you want non-default behavior. Note that client profiles are optional: if you do not upload one, AnyConnect clients will use default settings for all profile-controlled options.

Cisco anyconnect secure mobility client windows 10

Note: You must include the FTDdevice’s outside interface in the VPN profile’s server list for the AnyConnect client to display all user-controllable settings on the first connection. If you do not add the address or FQDN as a host entry in the profile, then filters do not apply for the session. For example, if you create a certificate match and the certificate properly matches the criteria, but you do not add the device as a host entry in that profile, the certificate match is ignored.

Allow Captive Portal Remediation—Check to let the Cisco AnyConnect Secure Mobility client lift the network access restrictions imposed by the closed connect failure policy. By default, this parameter is unchecked to provide the greatest security; however, you must enable it if you want the client to connect to the VPN if a captive portal is.

You can also create AnyConnect client profile objects while editing a profile property by clicking the Create New AnyConnect Client Profile link shown in the object list.

Before you begin

Before you can upload VPN AnyConnect client profiles, you must do the following.

  • Download and install the stand-alone AnyConnect “Profile Editor - Windows / Standalone installer (MSI).” The installation file is for Windows only and has the file name anyconnect-profileeditor-win-<version>-k9.msi, where <version> is the AnyConnect version. For example, anyconnect-profileeditor-win-4.3.04027-k9.msi. You must also install Java JRE 1.6 (or higher) before installing the profile editor. Obtain the AnyConnect profile editor from https://software.cisco.com/download/home/283000185 in the AnyConnect Secure Mobility Client category.
  • Use the profile editor to create the profiles you need. You should specify the hostname or IP address of the outside interface in the profile. For detailed information, see the editor’s online help.

The following procedure explains how you can create and edit objects directly through the Objects page:

Create an AnyConnect Client Profile Object

  1. In the CDO navigation bar at the left, click Objects.
  2. Click the blue plus button.
  3. Click RA VPN Objects (ASA & FTD) > AnyConnect Client Profile.
  4. In the ObjectName field, enter a name for the AnyConnect client profile.
  5. Click Browse and select the file you created using the Profile Editor.
  6. Click Open to upload the profile.
  7. Click Add to add the object.

Overview

Stanford's VPN allows you to connect to Stanford's network as if you were on campus, making access to restricted services possible. To connect to the VPN from your Windows computer you need to install the Cisco AnyConnect VPN client.

Two types of VPN are available:

  • Default Stanford (split-tunnel). When using Stanford's VPN from home, we generally recommend using the Default Stanford split-tunnel VPN. This routes and encrypts all traffic going to Stanford sites and systems through the Stanford network as if you were on campus. All non-Stanford traffic proceeds to its destination directly.
  • Full Traffic (non-split-tunnel). This encrypts all internet traffic from your computer but may inadvertently block you from using resources on your local network, such as a networked printer at home. If you are traveling or using wi-fi in an untrusted location like a coffee shop or hotel, you may wish to encrypt all of your internet traffic through the Full Traffic non-split-tunnel VPN to provide an additional layer of security.

You can select the type of VPN you want to use each time you connect to the Stanford Public VPN.

Install the VPN client

  1. Download the Cisco AnyConnect VPN for Windows installer.
  2. Double-click the InstallAnyConnect.exe file.
  3. When a message saying the Cisco AnyConnect client has been installed, click OK.

Connect to the Stanford VPN

  1. Launch the Cisco AnyConnect Secure Mobility Client client.
    If you don't see Cisco AnyConnect Secure Mobility Client in the list of programs, navigate to Cisco > Cisco AnyConnect Secure Mobility Client.
  2. When prompted for a VPN, enter su-vpn.stanford.edu and then click Connect.
  3. Enter the following information and then click OK:
    • Group: select Default Stanford split- tunnel (non-Stanford traffic flows normally on an unencrypted internet connection) or Full Traffic non-split-tunnel (all internet traffic flows through the VPN connection)
    • Username: your SUNet ID
    • Password: your SUNet ID password

  4. Next, the prompt for two-step authentication displays. Enter a passcode or enter the number that corresponds to another option(in this example, enter 1 to authenticate using Duo Push to an iPad). Then click Continue.
    • You may have to scroll down the list to see all of your options.
    • If your only registered authentication method is printed list, hardware token, or Google Authenticator, the menu does not display. Enter a passcode in the Answer field and click Continue.
  5. Click Accept to connect to the Stanford Public VPN service.
  6. Once the VPN connection is established, a message displays in the lower-right corner of your screen, informing you that you are now connected to the VPN.
Cisco anyconnect secure mobility client connection disabled windows 10

Disconnect from the Stanford VPN

Cisco Anyconnect Secure Mobility Client Connection Disabled Settings

  1. In the notification area, click the Cisco AnyConnect icon if it is displayed. Otherwise, go to your list of programs and click Cisco AnyConnect Secure Mobility Client.
  2. At the prompt, click Disconnect.