You can configure the security appliance to receive user attributes from either the LOCAL/internal database, a RADIUS/LDAP authentication server, or a RADIUS/LDAP authorization server. You can also place users into group-policies with different attributes, but the user attributes will always take precedence. After the device authenticates the user and group(s), the security appliance combines the user and group attribute sets into one aggregate attribute set. The security appliance uses the attributes in the following order and applies the aggregate attribute set to the authenticated user.

1. User attributes-The server returns these after successful user authentication or authorization. These take precedence over all others.

2. Group policy attributes-These attributes come from the group policy associated with the user. You identify the user group policy name in the local database by the ' vpn-group-policy' attribute or from an external RADIUS/LDAP server by the value of the RADIUS CLASS attribute (25) in the format 'OU=GroupName;'. The group policy provides any attributes that are missing from the user attributes. User attributes override group policy attributes if both have a value.

3. Tunnel group default-group-policy attributes-These attributes come from the default-group-policy (Base group) that is associated with the tunnel group. After a lookup of that group policy, the Tunnel Group's default-group-policy provide any attributes that are missing from the user or group policy attributes. User attributes override group policy attributes if both have a value.

System default attributes-System default attributes provide any attributes that are missing from the user, group, or tunnel group attributes.

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/ldapapp.html