You can map the tunnel-groups to particular VLANs:
interface GigabitEthernet0/1
nameif trunk
security-level 100
no ip address
!
interface GigabitEthernet0/1.10
vlan 10
nameif inside
security-level 100
ip address 10.0.96.10 255.255.255.0
!
interface GigabitEthernet0/1.100
vlan 100
nameif nac
security-level 100
ip address 172.16.200.5 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 12.34.56.78 1
route inside 10.0.100.0 255.255.255.0 10.0.96.254 1
route nac 10.0.100.0 255.255.255.0 172.16.200.1 255
!
group-policy NAC-Group internal
group-policy NAC-Group attributes
dns-server value 10.0.100.74 10.0.100.75
vpn-tunnel-protocol IPSec
default-domain value hacme.com
vlan 100
!
end
This will force the members of NAC-Group into VLAN 100. VLAN 100 is the
untrusted VLAN and 200 would be trusted - create the mapping in the NAC
Server. Support after 8.x
Feel free to contact me with questions.
Chris