We're trying to implement RSA SecurID for our VPN user as well as access to our routers/switches/firewalls. RSA supports RADIUS, but not TACACS.
So RSA support has shown me how to setup a radius profile in their software that sends a class attribute, such as class=ou=admin to the ASA that they say will let me differentiate my admin users from VPN users. But I can't seem to figure out where this matches up with something on the ASA. I've been able to get myself logged in via VPN and SSH, but I obviously don't most VPN users to be able to SSH into the device.
Any tips as to how to differnetiate admin users from VPN users via RADIUS?