01-21-2020 07:21 PM
Is it possible to match upon initial Authentication against an AD Group to then have a different Identity Source used?
Generally I'm only aware of it being possible to match against an AD Group AFTER a User has authenticated via an Authorization Policy. Use Case is for VPN users, and the client wants to slowly role out changing authentication sources (AD to MFA). I've gotten the standard method I'm aware of working, which is via matching on a different Group-Policy and/or Tunnel-Group from the ASA, but they were looking for an easier method to deploy to end users.
If they can't get it to work this way, then I'll just work on modifying the AnyConnect Profile to point to the new FQDN URL and call it good, but I wanted to ask this space if they had ever tried matching against AD Group during initial Authentication Queries.
I'm thinking not, the more I think of it, as the endpoint/user hasn't been sent to the Identity Source which would then pull/provide those details.
Solved! Go to Solution.
01-21-2020 08:38 PM
01-21-2020 08:38 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide