Well, there are some things you could try with RADIUS for the administrators. If you have your PAN-device admins in a AD-group you could have that group in a Network Policy server/IAS-authentication profile. That should take care of the Administrators, You can even utilize the vendor-specific attributes to give your admins the right privileges! It's a bit crude, but it works. When it comes to the your SSLVPN users. How have you set up Authentication ? LDAP, RADIUS? If LDAP, do you filter out the groups?
... View more