topic ASA: AnyConnect uses wrong Group Policy when using DAC in Network Security https://community.cisco.com/t5/network-security/asa-anyconnect-uses-wrong-group-policy-when-using-dac/m-p/4493518#M1084653 <P>Hello everybody,</P><P>&nbsp;</P><P>our customer uses a Firepower 2101 running a ASA OS 9.10(1)44 and has many Dynamic Access Policies (DAC) for their business partners.</P><P>&nbsp;</P><P>He created a new AD Group and a new DAC and specifies a new&nbsp;Group Policy for this new&nbsp;business partner named Pavis (see attached screen dump).</P><P>&nbsp;</P><P>The login is working for a test-user of this group but AnyConnect is using another&nbsp;Group Policy (GroupPolicy_Bionorica_SE_EXTERN) as specifies (GroupPolicy_Bionorica_SE_EXTERN_Pavis) in the DAC. So the IP-Address pool is wrong and the ACLs dont't meet their requirements.<BR /><BR />I assume that the reason for this misbehaviour in not on the ASA but on the AD.</P><P>&nbsp;</P><P>My Question is: What could cause the usage of the wrong&nbsp;Group Policy even if the right one is specified in the DAC and where I need to check this?</P><P>&nbsp;</P><P>Attached you find the configuration.</P><P>&nbsp;</P><P>Every hint is welcome!!!<BR /><BR />Thanks a lot!<BR /><BR /><BR /><BR />Bye</P><P>R.</P> Wed, 27 Oct 2021 14:25:45 GMT swscco001 2021-10-27T14:25:45Z ASA: AnyConnect uses wrong Group Policy when using DAC https://community.cisco.com/t5/network-security/asa-anyconnect-uses-wrong-group-policy-when-using-dac/m-p/4493518#M1084653 <P>Hello everybody,</P><P>&nbsp;</P><P>our customer uses a Firepower 2101 running a ASA OS 9.10(1)44 and has many Dynamic Access Policies (DAC) for their business partners.</P><P>&nbsp;</P><P>He created a new AD Group and a new DAC and specifies a new&nbsp;Group Policy for this new&nbsp;business partner named Pavis (see attached screen dump).</P><P>&nbsp;</P><P>The login is working for a test-user of this group but AnyConnect is using another&nbsp;Group Policy (GroupPolicy_Bionorica_SE_EXTERN) as specifies (GroupPolicy_Bionorica_SE_EXTERN_Pavis) in the DAC. So the IP-Address pool is wrong and the ACLs dont't meet their requirements.<BR /><BR />I assume that the reason for this misbehaviour in not on the ASA but on the AD.</P><P>&nbsp;</P><P>My Question is: What could cause the usage of the wrong&nbsp;Group Policy even if the right one is specified in the DAC and where I need to check this?</P><P>&nbsp;</P><P>Attached you find the configuration.</P><P>&nbsp;</P><P>Every hint is welcome!!!<BR /><BR />Thanks a lot!<BR /><BR /><BR /><BR />Bye</P><P>R.</P> Wed, 27 Oct 2021 14:25:45 GMT https://community.cisco.com/t5/network-security/asa-anyconnect-uses-wrong-group-policy-when-using-dac/m-p/4493518#M1084653 swscco001 2021-10-27T14:25:45Z