I am trying to develop a solution on the SA that restricts network access based on the username. So all the users (seperate for corporate users) would belong to a role, and then each user would have a specific filter applied (restricting access to a defined list of IP addresses). I would rather not have to build roles/resources for each username. There has got to be some way to pull the IP list from AD/LDAP, and apply that to a generic resource policy. I have seen some indication of this using custom expressions, but nothing with any kind of detail. If I could pull the list from RADIUS as a VSA, that would work too. For reference, I currently do this via a Cisco VPN and downloadable ACLs in Cisco ACS.
Thanks in advance....