The easy way out
It never fails to surprise me how many ssl-vpns are authenticated by the AD domain.
Seen it used in ASAs as well. All you have to do is exploit the AD and then you make as many vpn logins as you can sell.
Guys, put a bit of a gap between your layers of security, or at least till the lazy powers at be that can’t remember 2 passwords force you to change. They will be the ones that can’t understand how to do 2 factor.