Remote VPN - two-factor authentication with Cisco ASA + OpenLDAP
Isn't phone-based auth an option? I prefer that because it's much less of a maintenance burden than certs. For example, to allow someone new to use VPN, you just fill his/her phone number in LDAP, then maybe add him/her to the VPN-enabled users group (if you do that kind of filtering at all), and that's it. Whereas with certs you have to generate a cert, then give it to the user, and then the user needs to take care of it. OTOH a cellphone is pretty much natural for everyone to have.
So I went with phone-based two factor authentication, maybe it'll also help you in some way.
Cisco AnyConnect with Active Directory and Azure Multi-Factor Auth
It's rather easy to do, you can do it all from the GUI. But it's based on AD. Though MSAF supposedly supports LDAP as well, so it should be doable for you, too. Only caveat is that Azure phone calls cost money, either $1.4/user/month or $1.4/10 calls. I'd say it's quite negligible.