We have an ASA configured with sslvpn and using AnyConnect clients. Currently we authenticate via LDAP and automatically set the group-policy value via an LDAP value. We have several groups with unique IPs and therefore special access due to their assigned IP address.
We'd like to add SecureID authentication for some of these groups. I've set up a second profile with double authentication, using LDAP with group assignen and that works fine.
The issue we are facing is that I can find no way to limit access to the double authentication groups from the standard profile, because both profiles are authenticating to the same LDAP server, and the LDAP policy map is configured with the LDAP server.
So all the groups are accessible (with the right credentials) from both the standard single auth profile and the double-auth profile, and there's no way to force the use of the double-auth profile- at least none that I can find.
thanks for any thoughts on this.