I have an ASA, an ACS appliance, Active Directory, and RSA securID. SSL users should only authenticate with AD, while IPSec users should only authenticate with RSA. Not yet using anyconnect.
here is my scenario:
ACS -- AD - Dynamic users are created in ACS when authenticated with their AD domain login/password
ACS -- AD - AD Group mapping to put user in the correct ACS group
ASA SSL - matches username in ACS group to display customized SSL bookmarks
all looks good
ACS -- RSA - static users in ACS assigned to RSA group in ACS configured for authentication with external RSA DB
ASA IPSec - Authenticates with ACS
Question: How does the ASA or ACS know to authenticate IPSec users ONLY via RSA and SSL users only via AD?
What do I have to do to not allow a windows user to simply enter their AD login/password into thei IPSec client and login. I could see this become common with users who dont have their keyfob handy or forget to use it.