Anyconnect - How does an SSL VPN user choose their group

[gconnect]

Here is the background....
Users in several different administrative groups need to use the SSL VPN (i.e., Finance, Engineering, etc).
When a user logs on how do they choose the group that they should belong to?
I need to allocate specific IP ranges based upon their group assignment, etc.
..also we're using Radius (ACS) that backends the authentication to Microsoft AD

This was easy to do with Cisco VPN Client/IPSec because of the Group password and mapping it to the ASA and/or ACS but how is this done with the SSL VPN Client (Anyconnect). I see ways to configure tunnel groups, group policies, etc, but how does ASA know which group that the user SHOULD belong to?

TIA

 

[unclerico]

1) Group URL's
or
2) Using RADIUS to pass values back to the ASA when the user authenticates. For example, you can set up groups in AD that correspond to your VPN profiles. Add users to their respective group. I use MS IAS so I create a new RADIUS policy for each AD group that I have created, use Windows-Groups as the criteria, and specify the group that should be matched. In the attributes section I choose the Class attribute and place the string OU=accounting_vpn_policy, OU=engineering_vpn_policy, etc. Within the ASA create a new group-policy matching the value that you placed in the Class attribute (group-policy engineering_vpn_policy internal, group-policy accounting_vpn_policy internal, etc). Go into the ASDM and create a new Dynamic Access Policy specifying that those users who match this DAP should have RADIUS value 25 (Class) equal to OU=engineering_vpn_policy, OU=accounting_vpn_policy, etc.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)