We use the ISE for VPN (connection with openldap). On the authentication policy you have multiple options. We used the network access - device ip address option. On the Authorization tab we used again the ip address option in combination with an ldap attribute where there was a definition of the status of the person (student, teacher, admin,...). On the policy elements tab we made some authorization profiles in results - authorization - authorization profiles. When you make a new profile you can select under Common tasks the asa vpn attribute. There you can for example insert admin.
So if you have an admin user that wants to login:
authentication: user found in ldap (or ad)
authorization:
-user is coming from asa ip address
-user attribute is admin
= user is authorized for the admin class on your asa vpn device.