Currently our ASA is configured to use LDAP for authenticating VPN clients. I read several manuals that show how to set the ASA up for either LDAP, RADIUS, or LOCAL authentication. What I'd like to do is use both LDAP and LOCAL authentication. Such that if a client connects, it would check for local authentication before checking LDAP. Has anyone had success doing this and could share an example config?
It sounds like double authentication isn't what you are looking for. Based on the above requirement, you will be better off configuring a separate tunnel group for your restricted users which will use local authentication exclusively. You can then present the users with a drop down menu on the auth portal where they choose thier desired tunnel group. Alternatively, you can configure group-urls in order to direct the users to the correct tunnel group. For example, you could have https://vpn.vpn.com/employee and https://vpn.vpn.com/vendor where the employee TG will use LDAP and the vendor TG will use local auth.