Is it possible to tie Windows AD group membership to authentication for a particular VPN connection profile on PIX/ASA?
I am using Windows IAS for RADIUS to authenticate VPN users. I have configured IAS to require that users are a member of the AD group "RemoteAccess". This works fine, but is applied against all connection profiles on the PIX/ASA. I would like to find a way to make this more granular.
For example, a remote user with the connection profile "VPN1" could only authenticate if a member of the Active Directory group "VPN Group 1". Other users would be issued a different connection profile "VPN2" and could only authenticate if a member of a different AD group "VPN Group 2" (each connection profile would have a different encryption domain, restricting which networks and hosts the user can tunnel to).
It looks to me that using IAS for RADIUS with PIX/ASA is an all or nothing proposition (as far as AD group membership is concerned). The IAS Remote Access policy can require membership in a particular AD group, but this policy is applied against all RADIUS authentication attempts.
I'd like to have the PIX/ASA be able to send AAA requests to the same IAS server for all connection profiles and have these evaluated differently for AD group membership (connection profile "VPN1" requires AD group "VPN Group 1", connection profile "VPN2" requires AD group "VPN Group 2", etc.).
Is this possible?
Thanks in advance for any suggestions.