Documentation seems to be light here. Is it possible to do double authentication using a signed certificate and SAML? The goal would be to authenticate to the ASA with cert, perform SAML auth to the 2FA and authorize the certificate on Cisco ISE. There is no saml group per se so I don't believe I can use the "secondary-authentication-server-group" command.
TLDR: can I use authentication saml certificate command?
aaa-server ISE protocol radius
interim-accounting-update periodic 1
aaa-server ISE (outside) host aa.bb.cc.dd
tunnel-group CERT-DUO type remote-access
tunnel-group CERT-DUO general-attributes
tunnel-group CERT-DUO webvpn-attributes
authentication saml certificate
saml identity-provider https://explorer.cisco.com/dag/saml2/idp/metadata.php