I commented under the document Configuring Extended Authentication with VPN Mobile Users in AOS with a question, but I'm not sure that will be a good place.  Maybe a discussion would be better?  Are comments about an article a good/acceptable place to ask questions (will it get noticed)?  Original question:

Any way to authenticate mobile VPN connections without an external extended auth server?  We commonly install for small businesses without RADIUS, but often need to require auth.  It seems AOS users can't be grouped into a 'VPN' class, so x-auth against local users will give them admin capability.

Are we missing a feature?  Would it be doable to group local users in a future release?  Even if it's limited to, say, 10 user accounts or something.