first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
vendor ID = 3076, attribute 150 is "Client Type" (integer)
Re: ASA and ACS 5 multiple VPN profiles for one user
It's possible. First of all you need to create vpn profile A and B , after these you need to create access policy and there identity group witch group want to give access and add A,B profiles that profile section. You need to just create access policy rule after group and profiles configuration.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...