One of our customers so far operates a Cisco VPN-Concetrator 3000 together with a RSA Authentication Manager in order to authenticate the VPN users.
Upon a VPN or RAS user authentication request from the VPN-Conc the request is forwared to the RSA Auth-Server speaking Radius protocol returns a specific group to the VPN-Conc.
Depending on the user/group assignment in the RSA Auth-Server a specific group-name will be returned to the VPN-Conc which will then assign the user a group-specifig IP-address. The VPN-user to HQ-LAN connections are then controlled on a dedicated firewall.
Because the customer wanted to consolidate the RAS and VPN users on a new Cisco Router, this functionality is actually now required by the newly placed router as well.
So far I did not find any documentation or configuration paper addressing this problem.
Is this possible at all to assign a user a specific IP-address based on a group returned from the RSA Auth-Server as it can be done with a VPN-Conc 3000 ?