We have a Cisco ASA providing remote access VPN services which also uses DUO for MFA.  We want to achieve the following 2x things

1. The VPN group policy should be assigned based on Active Directory group 

2. For shell access the priviledge level should be assigned on Active Directory Group

The ASA must use DUO/AD for both VPN and Shell access.