We have multiple AnyConnect profiles on our ASA. All these profiles authenticate with Active Directory using RADIUS. We're trying to secure this by allowing certain people to VPN for certain resources, instead of full access to everything. I have a VPN and it ACLed to a certain server group and this user is locked down to login to just those servers. But in Active Directory he has the dial in allowed, so technically he can authenticate to other AnyConnect groups. How can I lock it down to allow him to just use one AnyConnect Group?