I am trying to assign separate IP address pools to AnyConnect users based on whether the device they are connecting from has been domain-joined or not (managed device vs unmanaged device). Each domain-joined device does have a machine cert that I can check for. I really don't want to have to use aliases and allow users to select a tunnel group to connect through,and may have situations where a user will connect via managed sometimes, unmanaged other times. DAP works great for identifying the certificate or authenticating via the connection profile/tunnel group, however I don't believe I can assign the IP pool based on the DAP.
Is there a way to auth via the connection profile/tunnel group with certificate and credentials, and fail back (to another connection profile or group policy) if unable to provide the certificate? If not, any recommendations? Is this something that could be taken care of with ACS? Thanks for your help!
If I understand the question, I believe you may be able to use certificate matching rules.
Basically you create a list if certificate has field value A then use connection profile A (with IP address pool A), else use profile B (with pool B) etc.
See this guide section for some more details.
Thanks for the response Marvin. I had seen the certificate matching rules but wasn't sure if I could fall back to "profile B" by not being able to present a cert at auth for unmanaged devices. I will build this up in test and post my results. Thanks again for the help.