I have a small business client that is currently set up with a Cisco ASA 5505 as their firewall/VPN device.

I'm in the process of migrating various things to a brand new Active Directory domain (Windows Server 2012r2) that I've built, however it will take some time to get everything migrated.

Currently they use local accounts on the ASA to authenticate their AnyConnect clients when connecting via VPN.

I want to set up RADIUS/VPN between the new AD domain and the ASA.  I've got everything configured on the Windows side, and have the key, etc set up on the ASA side as well.  

So, to complete this, without disabling the current tunnel group/LOCAL authentication on the Cisco, I "think" I just need to create a completely new tunnel group?  Am I right in thinking that this will give them an additional option in the AnyConnect "Group" box when they try to connect?

Just want to verify that this is:

1. The correct way to do this
2. I won't in any way disable/mess up the way users authenticate for now using the local accounts they have on the ASA (they are VERY non-technical so I don't want to cause any panic)