I'm able to do it using 5510, MS 2003 AD as LDAP, and MS 2003 IAS as RADIUS.
- Create users and assign to their group in AD
- Create policy per user group. i.e. destination IP Address and ports.
User login by just knowing their username and password. Their usergroup is transparent to them, there is no drop-down list for user to select their group.
The downside of this is that you cannot assign different IP Pool per usergroup. If you want different IP Pool per user group, they wil lsee the drop-down list and they have to select their usergroup from the list. If they select the wrong usergroup, they will not be able to login. If you have too many usergroup, it wil lnot be pretty to see them all in the drop-down list.
http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2/user/guide/pobjpage.html