Combining user-based, machine-based and username-based authentication in Cisco Anyconnect.

After lots of trial and error I got the solution working. Solution requirements were:

1. Anyconnect must be run in administrative rights
2. SBL (Start before login) VPN connection must be authenticated with a computer certificate.
3. Windows user must be able to authenticate VPN connection with:

• username/password (method: AAA),
• computer certificate (method: Certificate),
• personal certificate with password (method: Both).

I have three Anyconnect Connection Profiles for each authentication method.
I have one Anyconnect Client Profile tied with all three Group Policies (therefore also tied with all thee Connection Profiles). The client profile is configured to use SBL and all certificate stores (machine and user). Since the Anyconnect client is run in administrative rights, the client profile does not need the Certificate Store Override to be enabled.
I have disabled Automatic Certificate Selection in the client profile with no change in behavior- I have yet to be prompted for certificate selection. This could be a problem if ...