Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authenticate clients differently based on source with certificates


We're currently evaluating using AnyConnect as an always-on overlay VPN in our office networks, aswell as remote-access. We want to use certificate authentication for clients connecting from the LAN-side of the network (to get a seamless experience for the users), but we want to use RADIUS with OTP for clients connecting from the internet. The clients could be the same laptop, just that the user brought it home to work remotely.

From my understanding, I can use diffrent authentication methods based on interface if I use server-groups (LDAP, RADIUS, TACACS+ etc), but I dont seem to have that choice if I use certificates.

Is there any way to force users to auth to a radius when comming from the outside and not having to auth with anything else than certificates on the LAN side? Having to use the certificate combined with RADIUS + OTP from otuside is fine aswell, but the key feature here is the seamless part for LAN clients.

I could do 2 connection-profiles with the diffrent settings, but as far as I can tell, I cannot enforce the use of a profile on users depending on sourceIP or username or anything else for that matter, without locking them out of the other profile they are supposed to use for LAN access.

I've reached the limits in the subject with my google-fu, so as a last resort before I use TAC, I thought I'd ask here.