[c-nsp] ASA VPN groups... pointer/howto/cookbook?

[Jeff Kell]

I have been running standard VPN client profiles for VPN access for quite a few years,
on PIX and now on ASA.  I'm working on our next generation prototype now, and the number
of VPN groups are growing a bit out of hand.

Up to this point we have been distributing groups/roles by providing a suitable .pcf
connection profile with the VPN client to each user.  The .pcf contains the group name
and preshared key (yes, admittedly not that secure). 

The current scheme is working fine, just getting a bit out of hand with the growing
number of groups and necessity of distributing the .pcf files.

It would be "nicer" if the client simply connected to the VPN server, authenticated (we
are using TACACS+, but I also have a working Active Directory profile for a more
general-purpose group), and had the appropriate group supplied by TACACS+ (or AD).

It would be even nicer still if the client could connect either split-tunnel (from home
or a secure location) or full-tunnel (to encrypt everything, if on a hotspot or WiFi for
example).  Currently this is done with two .pcf files (and two corresponding groups on
the ASA).

There are a dizzying number of possibilities and methods outlined in the documentation,
but I was hoping for a more direct approach to accomplishing this goal.

Pointers?  References?  Suggestions?  (I would RTFM if it weren't so F'ing huge :)  )

Thanks in advance,

Jeff