I've got an ASA 5520 8.0(3) setup with two RA VPN groups - a "normal" user vpn group and an "Admin" user vpn group. With the Cisco VPN client, it's fairly easy to ensure only admin folks get the Admin PCF file. However, I recently setup SSL VPN as well (using the same groups). I've set the SSL URLs such that a user going to https://site.company.com goes to the normal user vpn...and a user going to https://site.company.com/Admin uses the Admin profile. This all works, but there is nothing stopping a regular user from hitting the /Admin site if they somehow learn about it. I want to make sure that the /Admin tunnel can only be accessed by users in a specific AD group. Currently, to connect to the vpn, all users (normal and admin) have to be a member of the "VPN Users" group. How can I permit/deny access to a certain tunnel group based on AD group with Radius (IAS Win 2003)?