Thanks for replying, much appreciated.
That would open the rule up to too many users - the vendors would normally have access to something that most generic users wouldn't have access to. So there's no way for the "VPN concentrator" gateway to share those locally authenticated vpn user /ip associations with the other gateways? If not, do you know if a blend of ipassignment.conf and DHCP office mode works. I can add the few vendors in the conf file and create static objects for their access as long as the gateway doesn't dynamically assign addresses that are in the conf file.
I'd love to hear how other sites handles this - vpn users get authenticated on one gateway, and you need to apply granular policy around their access of other gateways.
as always, any guidance is appreciated.