Authenticate clients differently based on source with certificates
We're currently evaluating using AnyConnect as an always-on overlay VPN in our office networks, aswell as remote-access. We want to use certificate authentication for clients connecting from the LAN-side of the network (to get a seamless experience for the users), but we want to use RADIUS with OTP for clients connecting from the internet. The clients could be the same laptop, just that the user brought it home to work remotely.
From my understanding, I can use diffrent authentication methods based on interface if I use server-groups (LDAP, RADIUS, TACACS+ etc), but I dont seem to have that choice if I use certificates.
Is there any way to force users to auth to a radius when comming from the outside and not having to auth with anything else than certificates on the LAN side? Having to use the certificate combined with RADIUS + OTP from otuside is fine aswell, but the key feature here is the seamless part for LAN clients.
I could do 2 connection-profiles with the diffrent settings, but as far as I can tell, I cannot enforce the use of a profile on users depending on sourceIP or username or anything else for that matter, without locking them out of the other profile they are supposed to use for LAN access.
I've reached the limits in the subject with my google-fu, so as a last resort before I use TAC, I thought I'd ask here.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...