we are using AD as identity management to allow users for remote access VPN. We have defined some Access Roles for serveral AD Groups in Access policy , but, we have observed every AD user can log in via VPN client (end point security), regardless the user has a security policy associated or not. If the user is not included in a security policy, of course, they are not able to access to some where, but, they still can do the log in successfully on the VPN client.
So, somehow, we would like to allow the AD authentication for remote access VPN just for those users belonging to the Access Roles or for some specific AD Groups.
Can I integrate with NAC device such as Cisco ISE using Radius protocol for the VPN identity management ?