Cisco AAA/Identity/Nac :: ACS 5.2 - Add DACL To 2 Devices?

Advertisement

I have an ASA 5510 on the outside with a Remote Access VPN.  The user will need to get from the 5510, then go through an ASA 5540, then out to the subnet where they will be doing their work.  I have a Cisco ACS version 5.2 that sits on a separte VLAN off of the 5540.  I can authenticate users with Radius on the 5510 VPN and use DACLs from the ACS with no problems.  However, the DACL only gets downloaded to the 5510 (as expected) and I need it to also download to the 5540.  Is there a way to do this?  I understand this could mean multiple authentications needed somehow.  Right now when I authenticate, the DACL shows up fine in the 5510, but I get blocked from the devices I need to get to because it of course is not getting added to the 5540 as well. 

Here's the basic topology I have:
 
remote client
|
|
(outside--internet--VPN)
5510
(vlan X)

[code]....