We currently have a Cisco ASA VPN deployment using ACS - AD authentication.
We're using the RADIUS Class attribute to do group locking between these
systems. We have around 50 groups in use.
We're in the middle of an RSA SecurID deployment and can't seem to figure out
how we maintain the group
In ACS 5.2, you can configure an Identity Store Sequence which will
authentication via RSA, and then pull additional attributes from AD (like group
membership). Your usernames need to match between systems.
You can then send back RADIUS attributes to your ASA based on AD group
membership.