We're replacing our old ASA firewall that was running SSO for Azure SAML and also MFA with Azure. This will be a standalone FTD managed by FDM. The document here states that SSO using SAML 2.0 is unsupported for AnyConnect. It appears LDAP is supported for primary authentication, but I don't see in the configuration where you can specify users in an AD group, e.g. VPN_USERS, and only permit those in the group to access the client VPN. Is this possible?
I've setup secondary authentication using Duo, and I know that works well for using one of the authenticators or sending out a text code. However, the company wants to use RADIUS for secondary authentication, which is tied to AD. It appears that if we use this, they will have to enter credentials a second time. Is there a way to use a RADIUS server this way for only MFA?
Thank you.