We currently have a VPN solution in place which uses a VPN 3000 Concentrator, and CiscoSecure 2.4 Radius authentication. We have "internal" groups defined in the Concentrator with access-controls also defined for those groups. We have authentication pointing to the Radius server which is working fine. We are looking to find a way to setup the Concentrator & CiscoSecure group classes, so that when a user is dragged into a CiscoSecure group the user also is bound to that group on the Concentrator. I'm under the assumption that this has to be done with "External" groups on the Concentrator. If I use "External" groups, are the Concentrator Group Access-Controls still in affect? If not, I need a way so that all access-controls can be done on the Concentrator, which are already configured, and all group designations are done by the CiscoSecure Radius server. Is this possible?