Today we use unique Group URL for our Anyconnect profiles so that we have 1 .xml per anyconnect profile and 1 group policy per connection.

For example today:

https://example.com/vpn1

https://example.com/vpn2

Gets an xml for VPN1 or VPN 2 (depending which one you connect to initially), then the drop down in anyconnect has an option that you click for future connections. (VPN1 or VPN2).

I want to collapse this so the ISE authorization profile overrides the Group policy and all users can now use 1 connection/profile.

https://example.com/VPN

The new XML profile user group and drop down will say VPN and then the group policy is over ridden by ISE authZ profile "ASA Class ="group policy name" This lets me control the group policy from the back end and have all users connect to one profile regardless of what they need access too.

However when I had a user type the new URL (https://example.com/VPN) the anyconnect automatically switched to using the existing drop down for VPN1. I saw it first hand and cannot figure out why. There should be no hooks between them.

So today:

Group URL in anyconnect tunnel profile:

https://example.com/VPN1

Group policy named VPN1

Anyconnect XML profile server list:

https://example.com user group /VPN1

Name VPN1

New:

Group URL in anyconnect tunnel profile:

https://example.com/VPN

Group policy named VPN

Anyconnect XML profile server list:

https://example.com user group /VPN

Name VPN

ISE Class=VPN  (will change for specific users and vendors that need different Group policy based on ISE user ID)

I checked the users .xml myself and the existing one says VPN1 and /VPN1 for the user group. When user typed in https://example.com/VPN ...Anyconnect would automatically change it to the "VPN1" XML and use all those settings. I deleted all XML and restarted the client and they received the new VPN xml on the next attempt. I am worried I have a misconfig before I roll this out to everyone and start breaking profiles....anyone see this or have insight?