You can create group-policy within the ASA to define differences between groups.. the relevant command that will permit IPSec, Anyconnect, and clientless for a group is:
group-policy FirstGroup attributes
vpn-tunnel-protocol IPSec svc webvpn
Just remove whichever protocol you don't want a group to be able to use, like:
group-policy SecondGroup attributes
vpn-tunnel-protocol IPSec webvpn
There are many other settings within the group policy, like dns servers, split tunnel policy, vpn filter (acl's), etc.. If you're not already using groups and group policies, you will need to return the group name from the authenticating server. In our ACS server we set on each group:
"IETF RADIUS Attribute #25" as ou=FirstGroup;
There may be other ways to do it, and you can probably do it from your LDAP also..
You assign the group policy to the group in the tunnel-group definition:
tunnel-group FirstGroup general-attributes
default-group-policy FirstGroup
Hope this helps
More information about LDAP for this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml