I have an issue here. I have created various ASA 5510 VPN groups with access to different subnets within our internal network. The filters work fine, but now I am concerned that users with access to more subnets will simply provide his PCF to someone who should not have access to that subnet. Since we have a TACACS server, I was wondering if we could bind users to specific VPN groups, so that if they attempt to access the VPN from an unauthorized VPN group, access will fail. In other words, can TACACS "read" the VPN group information from the ASA, and use that for authentication in addition to user credentials.