I am setting up certificate based authentication on a Cisco ASA 5520 for remote access vpn. I am using Microsoft RADIUS on the inside interface to do the auth. The difficulty I am having is selecting the proper tunnel group for each user. I would like to be able to select the tunnel group based on an AD group. I am looking into setting up certificate group matching rules but am not sure if there is a better way. With certificate group matching rules I think I would have to setup a rule for each individual user name. I want to avoid this if possible. Is there a radius attribute or something that will select the tunnel group on the ASA based on the RADIUS policies and AD group? Thank you.