I've read some guides but I don't see anything which is exactly what I am trying to do which is to use ACS to identify a user group then based on that group assign the IP Pool name, VPN ACL and VPN group-url. Both the IP pool and ACL details are held on the ASA.

I've set up a test policy element on ACS --> Authorization and permissions --> Network Access - Authorization Profiles and created a profiles with following RADIUS attributes:

Attribute: cisco-av-pair

Value: url-redirect="VPNurlName"

Attribute: Filter-ID

Value: "Custom ACL Name"

Attribute: cisco-ip-pool-definition

Value "Custom pool name"

I then assigned this to Access-Policies --> Default Network Access --> Authorization --> New policy which references an identity group which I have put a test user in.

I think the ACS config is ok but don't know how to reference from the ASA and pull the values across. I believe it may be something to do with ldap attribute-map?

Values I want to pull across are:

tunnel-group TG-TUNNELGROUP general-attributes

 address-pool <ACS POOL VALUE>

tunnel-group TG-TUNNELGROUP webvpn-attributes

 group-url <ACS URL VALUE> enable

group-policy GP-GROUPPOLICY attributes

 vpn-filter value <ACS ACL VALUE>

A show vpn-sessiondb detail shows ISE Posture values being passed back as we want but the ASA doesn't know how to use the values.

sh vpn-sessiondb detail anyconnect

Filter Name : DAP-ip-user-12345

ISE Posture:
Redirect URL : https://MyURL
Redirect ACL : MyACL

I've uploaded some pics of ACS configuration. I've also started some ldap-attribute configuration but not sure if I'm correct in going down this road.

aaa-server ACS-DMZ (DMZ2) host x.x.x.x

ldap attribute-map LDAPTEST

                map-name MAPNAME ?

 Cisco-AV-Pair

WebVPN-ACL-Filters

WebVPN-URL-Entry-Enable

WebVPN-URL-List

Thanks

Michael