I've searched through the forums a bit and there were several conversations that similar to what I was doing but I could not find any that were exact. Here is my scenario:
One ASA5520 as the Remote Access VPN head unit (IPSEC).
One Cisco ACS Server for VPN authentication as well as network device authentication for admins.
Network Device authenticaiton uses TACACS. Remote Access VPN uses RADIUS. I have a active directory group that is mapped to an NDG that VPN users authenticate with.
I have need of a new, separate VPN for consultants. I want to use a different tunnel group and IP address range so I can define downloadable ACL's based on the group - not the users.
Whe I try and map another NDG to a new AD group, that works. When I try and add the ASA's IP address as the requestor, I'm greeted with a message that I cannot add the same IP twice.
There has to be a way to do this with such a robust server...