I've configured LDAP authentication to allow access if  members are a member of the "VPN_Users" Group.  This configuration is  working, but only for some users.  For other users it isn't.  The output  of the 'debug ldap 255' shows an output of memberOf for the users that  it's working for, but shows nothing for users it's not working for.   I've not been able to figure out any connection or differences that are  the same between those users that work and those that don't.  Any idea on what might be causing this problem?  Both working and non-working users will authenticate, its just some of them don't pull the memberof data in the ldap query.

Config:

aaa-server AD protocol ldap

aaa-server AD (inside) host btfs2

ldap-base-dn dc=localdomain,dc=com

ldap-scope subtree

ldap-naming-attribute samAccountName

ldap-login-password *****

ldap-login-dn svc-cisco@localdomain.com

server-type microsoft

ldap-attribute-map VPNGroup

ldap attribute-map VPNGroup

  map-name  memberOf IETF-Radius-Class

  map-value memberOf "CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com" btvpn

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol IPSec svc

webvpn

  svc ask none default svc

group-policy btvpn internal

group-policy btvpn attributes

banner value This is a private data network. All connections are logged and are subject to

banner value monitoring. Unauthorized access is prohibited and will be prosecuted.

dns-server value 10.0.0.x 10.0.0.y

vpn-simultaneous-logins 10

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittun

default-domain value localdomain.com

webvpn

  svc keep-installer installed

  svc rekey time 120

  svc rekey method ssl

  svc ask enable default svc

tunnel-group btvpn type remote-access

tunnel-group btvpn general-attributes

address-pool vpnpool

authentication-server-group AD LOCAL

default-group-policy NOACCESS

tunnel-group btvpn webvpn-attributes

group-alias webvpn enable

tunnel-group btvpn ipsec-attributes

pre-shared-key *****

Non-working user:

[1575] Session Start

[1575] New request Session, context 0xd7fbf210, reqType = Authentication

[1575] Fiber started

[1575] Creating LDAP context with uri=ldap://10.0.0.x:389

[1575] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful

[1575] supportedLDAPVersion: value = 3

[1575] supportedLDAPVersion: value = 2

[1575] Binding as svc-cisco@localdomain.com

[1575] Performing Simple authentication for svc-cisco@localdomain.com to 10.0.0.x

[1575] LDAP Search:

        Base DN = [dc=localdomain,dc=com]

        Filter  = [samAccountName=cmcbride]

        Scope   = [SUBTREE]

[1575] User DN = [CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]

[1575] Talking to Active Directory server 10.0.0.x

[1575] Reading password policy for cmcbride, dn:CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com

[1575] Binding as cmcbride

[1575] Performing Simple authentication for cmcbride to 10.0.0.x

[1575] Processing LDAP response for user cmcbride

[1575] Message (cmcbride):

[1575] Authentication successful for cmcbride to 10.0.0.x

[1575] Retrieved User Attributes:

[1575]  objectClass: value = top

[1575]  objectClass: value = person

[1575]  objectClass: value = organizationalPerson

[1575]  objectClass: value = user

[1575]  cn: value = Chris McBride

[1575]  sn: value = McBride

[1575]  l: value = Tulsa

[1575]  description: value = cmcbride non-admin test account

[1575]  givenName: value = Chris

[1575]  distinguishedName: value = CN=Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=co

[1575]  displayName: value = Chris McBride

[1575]  name: value = Chris McBride

[1575]  objectGUID: value = ....5..L...[..K.

[1575]  codePage: value = 0

[1575]  countryCode: value = 0

[1575]  primaryGroupID: value = 513

[1575]  objectSid: value = ...............1...{C..2....

[1575]  sAMAccountName: value = cmcbride

[1575]  sAMAccountType: value = 805306368

[1575]  userPrincipalName: value = cmcbride@localdomain.com

[1575]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com

[1575] Fiber exit Tx=616 bytes Rx=2007 bytes, status=1

[1575] Session End

Working user:

[1585] Session Start

[1585] New request Session, context 0xd7fbf210, reqType = Authentication

[1585] Fiber started

[1585] Creating LDAP context with uri=ldap://10.0.0.x:389

[1585] Connect to LDAP server: ldap://10.0.0.x:389, status = Successful

[1585] supportedLDAPVersion: value = 3

[1585] supportedLDAPVersion: value = 2

[1585] Binding as svc-cisco@localdomain.com

[1585] Performing Simple authentication for svc-cisco@localdomain.com to 10.0.0.x

[1585] LDAP Search:

        Base DN = [dc=localdomain,dc=com]

        Filter  = [samAccountName=cmcbride_a]

        Scope   = [SUBTREE]

[1585] User DN = [CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com]

[1585] Talking to Active Directory server 10.0.0.x

[1585] Reading password policy for cmcbride_a, dn:CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain,DC=com

[1585] Read bad password count 0

[1585] Binding as cmcbride_a

[1585] Performing Simple authentication for cmcbride_a to 10.0.0.x

[1585] Processing LDAP response for user cmcbride_a

[1585] Message (cmcbride_a):

[1585] Authentication successful for cmcbride_a to 10.0.0.x

[1585] Retrieved User Attributes:

[1585]  objectClass: value = top

[1585]  objectClass: value = person

[1585]  objectClass: value = organizationalPerson

[1585]  objectClass: value = user

[1585]  cn: value = Admin Chris McBride

[1585]  sn: value = McBride

[1585]  description: value = PTC User, cjm 05312011

[1585]  givenName: value = Chris

[1585]  distinguishedName: value = CN=Admin Chris McBride,OU=Administrators,OU=Company OU,DC=localdomain

[1585]  instanceType: value = 4

[1585]  whenCreated: value = 20110525173004.0Z

[1585]  whenChanged: value = 20110619154158.0Z

[1585]  displayName: value = Admin Chris McBride

[1585]  uSNCreated: value = 6188062

[1585]  memberOf: value = CN=VPN_Users,OU=Security Groups,OU=Company OU,DC=localdomain,DC=com

[1585]          mapped to IETF-Radius-Class: value = btvpn

[1585]          mapped to LDAP-Class: value = btvpn

[1585]  memberOf: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=baer-t

[1585]          mapped to IETF-Radius-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com

[1585]          mapped to LDAP-Class: value = CN=Websense Filtered Group,OU=Distribution Groups,OU=Company OU,DC=localdomain,DC=com

[1585]  memberOf: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com

[1585]          mapped to IETF-Radius-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com

[1585]          mapped to LDAP-Class: value = CN=TS_Sec_Admin,OU=Terminal Server 2003,DC=localdomain,DC=com

[1585]  memberOf: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com

[1585]          mapped to IETF-Radius-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com

[1585]          mapped to LDAP-Class: value = CN=Domain Admins,CN=Users,DC=localdomain,DC=com

[1585]  memberOf: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com

[1585]          mapped to IETF-Radius-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com

[1585]          mapped to LDAP-Class: value = CN=Enterprise Admins,CN=Users,DC=localdomain,DC=com

[1585]  memberOf: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com

[1585]          mapped to IETF-Radius-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com

[1585]          mapped to LDAP-Class: value = CN=Schema Admins,CN=Users,DC=localdomain,DC=com

[1585]  uSNChanged: value = 6560745

[1585]  name: value = Admin Chris McBride

[1585]  objectGUID: value = ..Kj4..E..c.VCHT

[1585]  userAccountControl: value = 512

[1585]  badPwdCount: value = 0

[1585]  codePage: value = 0

[1585]  countryCode: value = 0

[1585]  badPasswordTime: value = 129531669834218721

[1585]  lastLogoff: value = 0

[1585]  lastLogon: value = 129532463799841621

[1585]  scriptPath: value = SLOGIC.BAT

[1585]  pwdLastSet: value = 129508182041981337

[1585]  primaryGroupID: value = 513

[1585]  objectSid: value = ...............1...{C..2. ..

[1585]  adminCount: value = 1

[1585]  accountExpires: value = 9223372036854775807

[1585]  logonCount: value = 90

[1585]  sAMAccountName: value = cmcbride_a

[1585]  sAMAccountType: value = 805306368

[1585]  userPrincipalName: value = cmcbride_a@localdomain.com

[1585]  objectCategory: value = CN=Person,CN=Schema,CN=Configuration,DC=localdomain,DC=com

[1585]  dSCorePropagationData: value = 20110525174152.0Z

[1585]  dSCorePropagationData: value = 16010101000000.0Z

[1585]  lastLogonTimestamp: value = 129529717185508866

[1585]  msTSExpireDate: value = 20110803160858.0Z

[1585]  msTSLicenseVersion: value = 393216

[1585]  msTSManagingLS: value = 92573-029-5868087-27549

[1585] Fiber exit Tx=633 bytes Rx=3420 bytes, status=1

[1585] Session End