The goal: To allow Clientless(portal) connections with only username/password authentication (LDAP in this case) while requiring two-factor (LDAP & Certificate) authentication for AnyConnect connections.
The config: Since the auth methods are configured within connection profiles/tunnel groups, I am using two different profiles, one requiring only LDAP auth for use with clientless and one requiring both LDAP and client certificate authentication for AnyConnect. I have not enabled the option to allow users to choose their connection profile.
The only way I have been able to get the AnyConnect client to use anything other than the "DefaultWEBVPNGroup" profile was to use a URL mapping for the AnyConnect tunnel group, a custom AnyConnect client profile (to specify the custom URL), and a DAP policy to deny AnyConnect connections on the "DefaultWEBVPNGroup" tunnel group.
Resulting behavior: Web portal requires only username and password. Stand-alone AnyConnect connections require username/password & client certificate.
The problem: Weblaunch (launching AnyConnect from the portal) installs the client, but throws an error and disconnects (see attached). Subsequent stand-alone AnyConnect connection attempts work fine.
I assume this issue is related to the different tunnel groups using different authentication methods. If I disable the DAP policy, weblaunch works without erros, but it connects without requiring two-factor authentication.
Does anyone know if what I am trying to do is possible and/or supported? I am open to alternative suggestions as well.