In a recent office move, I setup the new VPN, running AnyConnect off of a ASA 5505. For authentication, it uses RADIUS against domain username/passwords, as well as checking for the presence of domain certificates. It’s a great two-factor authentication mechanism, and when used correctly, it works very well.
However, as all of us know, so few end users actually use technology in the way it was intended. It’s clear to me now that every verification and testing stage should include tests for misuse, because God only knows how our end users are going to try to use things.
The challenge here is after conceiving, designing and implementing a solution (and understanding how it SHOULD work), you’ve got to approach it with a noob mindset. If this is especially difficult, my recommendation is to recruit a technophobe from within the company, maybe from accounting who likes paper ledgers, or maybe somebody who doesn’t have a computer at home. With their able help, you should be able to misunderstand and misuse it in no time flat.