It can be done, I have done it last year using MS W2k3 AD and IAS. I have to do a lot of trial and error :) as I can't find the perfect documentation for it.
- Create multiple groups in AD, assign the user to their group.
- Create remote access policy in IAS for each group.
- Create one IP Pool in ASA
- Create Group Policy and Tunnel Group in ASA for each user group.
- The trick is in Tunnel Group.
NOTE: Be consistent with the group naming convention between AD, IAS, and ASA
The user is able to successfully login using the policy sets for its group in ASA without seeing the group drop-down list. Doing this, all groups will share the same IP Pool. You can still restrict the user to which IP Addresses and Ports to access by their group using Group Policy ACL. However. If you want to use different IP Pool per group, then they have to see the group drop-down list and select their assigned group.
The IAS configuration in the following link will help you give an idea, don't follow it as I said I can't find the perfect documentation (I did the perfect documentation for myself by trial and error);
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
http://technet2.microsoft.com/WindowsServer/en/library/c25dccdf-b91e-4fb1-8846-cd5bcc9bcf0e1033.mspx?mfr=true
