I have a little problem...
I'm doing authentication on an ASA with Radius (auth.-ing against AD) for both console management authentication and remote access vpn users.
I can distinguish between different tunnel groups with the group-lock command and assign different groups to different tunnel groups.
The problem is that all vpn user groups can login with SSH or ASDM for management becouse there is no "group-lock"-like way to separate them.
Maybe you'll say - use a different Radius server for this purpose but it's not really a scalable solution and I'd rather not use it.