Hi

My customer has two different domains:

a.local

b.local

So I created two aaa server:

aaa-server ldapquerysrv1 protocol ldap
aaa-server ldapquerysrv1 (inside) hostx.x.x.x

...

!

aaa-server ldapquerysrv2 protocol ldap
aaa-server ldapquerysrv2 (inside) hosty.y.y.y

...

!

ldap attribute-map sslvpn
map-name memberOf IETF-Radius-Class
map-value memberOf...

!

ldap attribute-map sslvpnhi
map-name memberOf IETF-Radius-Class
map-value memberOf...

!

With the test in ASDM, both LDAP Servers works fine.

No I created two group-policys:

group-policy ssl_admin internal
group-policy ssl_admin attributes
dns-server value dnsserver
vpn-simultaneous-logins 10
vpn-idle-timeout 60
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_ssl_admin
default-domain value a.local
split-dns value a.local
split-tunnel-all-dns disable
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect profiles value gzs type user

!

group-policy ssl_admin_hi internal
group-policy ssl_admin_hi attributes
dns-server value dns server
vpn-simultaneous-logins 10
vpn-idle-timeout 60
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_ssl
default-domain value b.local
split-dns value b.local
split-tunnel-all-dns disable
webvpn
anyconnect keep-installer installed
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect profiles value gzs type user

!

tunnel-group ssl_admin type remote-access
tunnel-group ssl_admin general-attributes
address-pool ssl-clientpool
authentication-server-group (outside) ldapquerysrv1 LOCAL
default-group-policy ssl_admin

!

tunnel-group ssl_admin_hi type remote-access
tunnel-group ssl_admin_hi general-attributes
address-pool ssl-clientpool
authentication-server-group (outside) ldapquerysrv2 LOCAL
default-group-policy ssl_admin_hi

!

If I try now to login with a user from domain a.local, the ASA takes the Default Tunnel Group and not ssl_admin

And if I try to login with a user from domain b.local, the ASA tries to authenticate against the domain a.local:

Jul 23 2019 16:11:08 fw01 : %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = x.x.x.x : user = ***** : user IP = z.z.z.z

Could you please put me in the right direction.

Thanks a lot

Best Regards,

Daniel