No, there is no limit on the number of roles/resource policies you can create as far as the IVE device is coded.

From a *management* perspective, however, you can start to experience excessive loading times as you increase the roles/resource policies (around 300-500 is what I have heard; your mileage may vary, of course).

We run a SA6000 with approximately 350 roles with no issue.  We rarely go over 300 users (some of the role are rarely used, and some probably obsolete).  There are 354 role-mapping rules in our most heavily used realm.  We've seen no issue with resource usage at all.

Ken

Seems like what you would want to do is to give them Pulse or Network Connect access.  I don't use Pulse yet, but I assume the configuration would be much the same.

If all of your 3rd party groups should get the same address range, DNS servers, etc., then create only one Network Connect role and set up a NC connection profile with the desired characteristics.  Then set up a NC access list with detailed rules which allows each user what they need.  Something like -

Resource                                  Action   Condition                      Notes (not in the configuration)

udp://*:53                                  allow     user="*"                        Everyone gets DNS access and ping

tcp://*:53

icmp://*:*

tcp://192.168.1.1:*                  allow     user="usera"              User A gets all TCP ports to 192.168.1.1

tcp://192.168.2.0/24:*            allow     user="userb"               User B gets all TCP and UDP ports to 192.168.2.0/24

udp://192.168.2.0/24:*

.

.

.

*:*                                               deny     user="*"                       Final deny all just to make sure

You could use group membership or returned Radius attribute to set up the conditions.  I return the Filter-Id attribute from Radius and use it to apply different access control lists to different sets of users.

Hope this is helpful.

Ken

Thanks for the information.  Yes we'll be doing roll mapping to AD Groups.

Wow thanks for the info.

Like I mentioned we have a lot of users, really vendors and support people not typical "users". So we like to lock them down only to the IPs they really need.  But we don't lock down port. The access is so diverse that we can't really say or know what port level access users would need. It just varies too much.

And I'm working on the migration and finding I'm going to have to copy the same IP or network list into mulitple areas, (web, telnet, pulse, etc).

Is your setup the same?  Am I missing something? 

Seems like a single  global area where I could say "This role gets access to these IPs over these ports" would work better.