Its really simple and basic.

When a user connects to their VPN using AnyConnect client, both the router and the user needs to authenticate themselves for a successful connection. Note: This must be an IPSec and not SSL connection. As the default behavior of AnyConnect is an SSL connection, you need to update the AnyConnect XML file such that AnyConnect performs an IPSec connection

1. Router presents its certificate to the user and lets the user know that it is a genuine/trusted vpn router. This means the router needs to have a certificate installed and signed by a 3rd party CA and obviously the user would need to trust the CA. Most 3rd party CA (ex: GoDaddy, digiCert) are already trusted in our browsers
2. The router now requests the user for its username and password. At this step, you see your AnyConnect client requesting a username and password.
3. After step 2 & 3 are a success, you are connected to VPN.