I am scratching my head with this but getting more confused:

Background:

The customer has a 2 CAS servers. One CAS is already in production as OOB-Real IP Gateway for their wired LAN users. They want to use NAC for the remote-access VPN users and wireless users.

The VPN users terminate on ASA 5520 that is also the Internet firewall and is running 8.2(5). The WLC (wireless LAN controller) is 4402 and running 6.0.

I am planning to use the second CAS for the remote-access and wireless users. Because VPN users only support in-band, I have to use In-band mode on the second CAS.

When I set the CAS up as In-band virtual gateway and tried to policy route the VPN traffic to the untrusted interface of the CAS, the policy routing would not work becasue the route-map would not allow using the port connected to untrusted port of CAS in the "set interface" option. I looked at the documentation and it mentioned that this option will work only for P2P interfaces.

The second option is to use the set VLAN feature of the group policy to present a VLAN to the VPN users but I am trying to wrap my head around the configuration on the ASA as well as the core switch but I am not getting anywhere.

I tried to look for examples or more informatioin but could not find any.

The high level diagram is as follows:

                                                    Wireless Controller

                                                             |

                                                             |

                                                             |

(VPN Users------------->ASA------------->Core Switch------------->(Internal Network)

                                                       |             |

                                                       |             |

                                          CAS Untrust      CAS Trust

I would really appreciate any input, comments or suggestions.

Sincerely,

Omkar