I'm looking for a way for users to authenticate through the ASA to determine whether or not they are granted access to the Internet. I would like to provide two separate Active Directory groups, for example, GRP-NO-INTERNET and GRP-INTERNET. When a user accesses the Internet I would like the firewall to obtain a SSO credential and query AD to see if they have access or not and respond accordingly.
I'm currently working with TAC to investigate the possibility of using DAP but was curious if others have successfully tested this or what other options may be available. The end result would be to eliminate the credentials prompt by the firewall and have the authentication done in the background (somehow) without user interaction.