Hello, community.

I'm working on deploying an ASA 5516-X in our environment (NOT FTD, using ASDM), and one of the services we're planning to use is the AnyConnect RA VPN.

We have everything in an AD domain, so we want to use the LDAP authentication. I'm referring to those two guides: Cisco ASA - AnyConnect VPN with Active Directory Authentication Complete Setup Guide - Techstat and ASA Use of LDAP Attribute Maps Configuration Example - Cisco . From what I can understand, for every specified LDAP server can be assigned only one Attribute Map, and to every attribute map can be assigned only one Group Policy.

We want to create several connection profiles, for example one with split tunneling and one without. It looks like the split tunneling settings are defined in the Group Policy. But, as I mentioned before, there's a rigid chain "Profile - GP - AM - LDAP server".

Does that mean that to create multiple connection profiles with different GPs I would have to create a separate server list with the same servers but with a different AM applied to them? That doesn't look very efficient, and with the FTD (we were using it before, but it's missing necessary for us features) there was no problem assigning same identity servers to the different connection profiles.

Any help/experience is appreciated.