We have just gone through a similar excercise. We are setting up IPSec VPN groups with XAuth. We had previously established aaa services over TACACS+ with the Cisco Secure ACS3.2. We found that after XAuth, the user permissions had to be set insid...