I have the following scenario:
(1) Cisco ASA 5510 configured to use RADIUS auth on the VPN settings, and its pointed to a Windows 2003 Enterprise Domain Controller, which handles AD services.
We set the Dial-in setting on the user account properties in ADUC to "allow" -- this accomplishes the VPN allow/deny requirement.
what doesnt work over VPN, is the DFS namespace, so shares can only be mapped with the NetBIOS UNC syntax. which isnt a big deal, but an annoyance.
The DFS namespace server, by the way, is a Windows 2008 Standard R2 box.