If you configure something in GW for authentication, it is valid for everyone. You can't configure a group1 to use pass+dynamicid and group2 to use cert+pass based on AD groups.

You select what type of auth to use (when you use SSL portal) or during the installation of a VPN client before even enter your username.

I think of something raw solution.

Let's say you configure 2 ways for authentication in CP GW settings:

1) username+pass+dynamicid

2)username+pass+cert

You can switch between them in the VPN client GUI or in the SSL Mobile portal. 

If you find a way to install and configure the laptops for group1 to use pass+dynamicid, for group2 - pass+cert and lock this configuration in the VPN client GUI you will achieve what you're looking for. Of course this is a hard work if you have more of laptops.

Another really raw solution - if you have 2 separate GWs for VPN, on gw1 configure user+pass+dynamicid, on gw2 configure username+pass+cert. Group1 initiate VPN to gw1 and group2 to gw2.

Hi Martin,

Thanks for your reply - yes I also thought of this and I managed to change the trac.config file and use the cpmsi_tool.exe to roll a customised msi that only had the single auth version in the drop down - this seemed to work great ...

The only issue is when it connects to the vpn it learns the other methods and repopulates the Auth settings with all the options 🙂

I have not figured out if one can stop that happening as yet 🙂

Thanks

Thanks to everyone for your replies and suggestions.  I'm curious what this section of the authentications section would be used for?  My VPN clients are working with username/password.  Newer clients are bi-passing the Dynamic OTP, and I know how to correct that in the settings, but I am really curious what this section is for.

this is how it's configure on my site. When I open the mobile access portal in the browser I have a drop-down menu where I select which method to use.