I have VPN clients coming into a router and getting x-authenticated using TACACS/ACS 3.0. Till now I was using local group authetication. My requirement is to only allow specific user to authenticate on vpn and not all users in ACS database. I believe this can be done if I setup the group authentication also in ACS. Can you please share docs on how to set it up.