Dear All,

Am trying to authenticate VPN users based on LDAP group. Users in TEST-ACCESS group policy will be provided vpn access. rest should be denied by default policy NOACCESS.

However, when i try only default policy is matching. the grp policy attribute is not at all checking.. have tried debug ldap 255 but no luck.

aaa-server TEST_LDAP protocol ldap
aaa-server TEST_LDAP (inside) host 10.10.10.2
server-port 389
ldap-base-dn DC=xyz, DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn CN=test_ldap,CN=Users,DC=xyz,DC=com
ldap-login-password ******
ldap-attribute-map DENY-VPN-USERS
server-type microsoft

ldap attribute-map DENY-VPN-USERS
map-name memberof Group-Policy
map-value memberof "OU=Deny VPN Access,OU=Users,OU=xyz,DC=xyz,DC=com" NOACCESS

map-value memberof "CN=test-vpn,OU=Deny VPN Access,OU=Users,OU=xyz,DC=xyz,DC=com" TEST-ACCESS

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ssl-client
address-pools none

group-policy TEST-ACCESS internal
group-policy TEST-ACCESS attributes
wins-server none
dns-server value 10.10.10.1
vpn-idle-timeout 480
vpn-tunnel-protocol ssl-client
vpn-simultaneous-logins 2
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value xyz.com

tunnel-group TEST-LDAP type remote-access
tunnel-group TEST-LDAP general-attributes
address-pool VPN-POOL
authentication-server-group TEST_LDAP LOCAL
default-group-policy NOACCESS

tunnel-group TEST-LDAP webvpn-attributes
group-alias TEST-LDAP enable