I'm using an ASA 5505, code 8.4(4)1 with AnyConnect 3.0.08057 for SSL VPN connectivity. I have a scenario where I have two different connection profiles; the main difference between the two is that one profile is setup for two-factor authentication (certificate and AAA LDAP w/ AD), and the second profile only has LDAP authentication (for admin access to use with clients that don't necessarily have the required user certificate stored on the local device). While the obvious method to choose between the two profiles at the VPN login would be using the drop-down alias list, however, my preference would be for the ASA to choose the appropriate profile based on which AD group the user is contained in (i.e. if user is in "Admins" AD group, use Administrator profile, else use default profile). I would think Dynamic Access Policies would be a good place to set this up, however, I'm failing to see how it can be implemented there.
So, I guess my question is can this functionality be setup using DAP, and if so, how would it be implemented? If not, is there a way to provide this functionality by some other means using AnyConnect?