Hi
Try this. In the vpn group create an IP based NAR that doesnt permit anything. This will get applied to any TACACS+ device admin type authentication.
In the admin users group, create a cli/dnis NAR that doesnt allow anything.
Generally, IP NARs get applied to TACACS+ and DNIS/CLI to RADIUS.
In theory a T+ login from a vpn user will get filtered and a RADIUS login from an admin user will get filtered.
The possible stumbling point is how ACS applies the NAR to RADIUS VPN authentications. It uses some tortuous logic, but generally:
if ip address in authen rq ---> apply ip filter
if no ip address ----> apply dnis/cli filter
fingers x'd the vpn auths dont include framed-ip-address!!
Dont think even ACS v4.0 helps a huge amount, because network access profiles (NAP) are RADIUS only.
Darran