Thank you.  One thing I'm concerned about with this approach is that the instructions ask to load  certificate based on the user account vpnuser.  This looks like if I were to use radius and active directory, that I would have to repeat this step for every active directory user.  Is that your understanding of this note?

Of course, if you would like to use certificate as authentication, each user should have his/her unique certificate. Every user should get their own certificate for the authentication. You can not just use 1 certificate for 50 users for example.

That is the reason why certificate is more secure than pre-shared-key authentication.

I think I understand.  I got the CA cert and Identity cert loaded on to the ASA, and will not have to load any more certificates on it.  The way the instructions read led me to believe I had to go through the process for each user, but I don't think that's the case.  Now that I've done it, I get a syslog error

3    Apr 16 2010    10:14:05    713902                    IP = 74.92.84.70, Removing peer from peer table failed, no match!

3    Apr 16 2010    10:14:00    713048                    IP = 74.92.84.70, Error processing payload: Payload ID: 1

which seems to indicate an IKE issue, but that could only be that the certificates are not correct.  I've went through the process twice following the not, the only discrepancy I saw was that my cert request had IPSEC (Offline Request) template instead of just IPSEC.

I assume you have also loaded the certificate on the vpn client? and the ISAKMP policy for authentication is rsa-sig?

What CA server are you using? Have you also loaded both root and identity certificate on the vpn client?

I loaded two certs on the vpn client as the instructions outlined and I loaded both the identity and ca certs on the ASA.  Here's part of the config.

BG-ASA# sh crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 55c5b654000000000069
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    cn=insurance
    dc=insurance
    dc=bisys
    dc=org
  Subject Name:
    cn=hbgvpn.crumplifeinsurance.com
    ou=IT
    o=Crump
    l=Harrisburg
    st=PA
    c=US
    hostname=hbgvpn.crumplifeinsurance.com
  CRL Distribution Points:
    [1]  ldap:///CN=insurance,CN=HBG-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bisys,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [2]  http://hbg-ca.insurance.bisys.org/CertEnroll/insurance.crl
  Validity Date:
    start date: 09:46:00 EDT Apr 16 2010
    end   date: 09:46:00 EDT Apr 15 2012
  Associated Trustpoints: ASDM_TrustPoint0

CA Certificate
  Status: Available
  Certificate Serial Number: 34f3c7aa043edc804634907b076c64ed
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=insurance
    dc=insurance
    dc=bisys
    dc=org
  Subject Name:
    cn=insurance
    dc=insurance
    dc=bisys
    dc=org
  CRL Distribution Points:
    [1]  ldap:///CN=insurance,CN=HBG-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=bisys,DC=org?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [2]  http://hbg-ca.insurance.bisys.org/CertEnroll/insurance.crl
  Validity Date:
    start date: 11:28:52 EDT Jun 27 2008
    end   date: 11:38:38 EDT Jun 27 2018
  Associated Trustpoints: ASDM_TrustPoint1

tunnel-group 2factor-VPN type remote-access
tunnel-group 2factor-VPN general-attributes
authentication-server-group VPN
default-group-policy 2factor-auth
tunnel-group 2factor-VPN webvpn-attributes
authentication aaa certificate
group-alias 2factor-SSL enable
tunnel-group 2factor-VPN ipsec-attributes
trust-point ASDM_TrustPoint0

What about your crypto map? Have you also added the "crypto map set trustpoint ASDM_TrustPoint0"?

Oh and btw, your identify cert is on trustpoint ASDM_TrustPoint0, but your CA (root) cert is on trustpoint ASDM_TrustPoint1.

You would need to authenticate your root CA on trustpoint ASDM_TrustPoint0

so I added the crypto map set trustpoint ASDM_TrustPoint0 command, it read the entry is incomplete though, as if it were expecting a match clause.  Besides that, do you mean I should delete the CA cert ASDM_TrustPoint1 and add another CA cert with an associated trustpoint as ASDM_TrustPoint0 to match the Identify cert?

Both CA (root) and identity certificate should belong to the same trustpoint. Currently you have CA root certificate on ASDM_TrustPoint1 and the identity on ASDM_TrustPoint0, so they belong to 2 different trustpoints.

If you check the configuration guide, both certificates belong to 1 trustpoint, ie: CA1.

So in your case, just upload the CA root certificate as follows:

crypto ca authenticate ASDM_TrustPoint0