If the "integrated" Radiusserver coming with the ACE-Server does not have the feature to forward a user's groupmemberships of ACE Server groups you won't be able to do a rolemapping based on that.
For my undestanding the ACE groups shall be primarily used for grouping agent hosts to a user. And since you do not use the ACE API directly to access userdata, you won't even see the groupmemberships on an authentication agent.
Due to the ACE server is just an auhentication machine for use, we use it directly (with no radius in between) for the authentication on the IVE and do the rolemapping based on directory attributes, based on the fact that the user/groulogin for the IVE-Agent can be found in our LDAP as well.

hth

Yes, that's the same way we do that here, even if we use the specific ldap attribute to "split" our different customers, that are authenticated to the ace server...

I think the best way to be:

1. Install RSA Radius Server on ACE Server

2. configure different Radius Profiles. Use Radius "Class" Attribute with a value like "Management", "Teleworkers", "Stuff" and so on

3. Assign on ACE Server the proper Radius Profile to the RSA Users on "Edit User" Tab

4. Configure your IVE system as Agent Host on Radius Server and Radius Client

5. On IVE configure on Realm Level as Auth-Server a new Radius Server - your ACE Radius Server

6. On Realm Role mapping, use Rolemap Rulez based on Attributes. If attribute is "Management", then apply Role "Managemt".

7. On Ressource Policy ... Network Connect ... Profiles configure IP Pool for "Management"

Then if a user from the management logs in, the RSA Radius Server will send the class attribute with value "Management" to your IVE System, and the user will be mapped to management role, and get an IP in the tunnel which is used for Management people.