We would like to be able to differentiate between VPN connections from iPhones and VPN connections from software clients on PCs.
We currently have 1 common Groupname for VPN connections to our ASA pair, so I assumed I could create a new Groupname for iPhones. This is easy enough however when the users are authenticating via ACS (RSA + AD database mapping) I have no way of differentiating them from their regular PC connections.
I have researched some RADIUS attributes usable in Network Access Profiels however I do not see any option to use Groupname as a filter.
Is this possible? If not, is there another way to differentiate this traffic and ideally assign the iPhone connections different ACL's (or IP addresses which can then be used to apply different ACL's on the ASA)?
Our setup is:
ASA 5520 fail-over pair running 8.0.4, ACL's for each VPN group, RADIUS authentication to ACS, IPSEC VPN
ACS 4.2 for Windows with RSA and AD Database mappings
AD on server 2008 R2, users placed in AD groups to map to ACS groups for IP address assignment