I've run in to a situation I hadn't considered when we stood up our RSA 2-factor authentication for VPN. We use AnyConnect clients to hit our Cisco VPN concentrators which then passes off authentication responsibilities to ISE and ISE knows which Identity Store to use based on where the authentication request is coming from and what group(s) a person belongs to.   

We now have a service provider that that will reach right in to a product they manage for us when we call and say there is a problem. However, the tech/engineer assigned to the issue could be one of many from their pool of available resources. The service provider only wants 1 token which will be "locked up" and the PIN "locked up" separately as well so when we report a problem they can connect and resolve it.

I won't issue a single token to them because they are associated with AD accounts but I could create a generic account local to RSA they could authenticate against if they could then auth with their AD creds before connecting.

So my question is has anyone done this? Is it possible to have AnyConnect ask for SecurID authentication and then come back with a prompt for AD authentication?

Thanks