Thank you @Rob Ingram . 

I made the modification you asked for , but I still get the same behaviour

the user j****** still could connect to any group  despite he is only memeber of ******* LDAP group

Now I have this in my configuration :

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
group-policy ******* internal
group-policy ******** attributes
wins-server none
dns-server value 1***************
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain nonegroup-policy ************* internal
group-policy *****************attributes
wins-server none
dns-server value 1**********************2
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
default-domain none

What is your tunnel-group configuration? Have you referenced the NOACCESS group-policy under the tunnel-group?

tunnel-group TUNNEL-GROUP-NAME general-attributes
 default-group-policy NOACCESS

Yes, because the LDAP attribute map is specifying to use "GroupPolicy_VPN_DAF" or "GroupPolicy_VPN_VIP" if a member of the correct group. If not a member of the group it will hit the default group-policy "NOACCESS" as defined under the tunnel-group, which will deny access.

Looking at your previous debugs youur LDAP group is incorrect.

map-value memberOf CN=vpn_daf,CN=Users,DC=in,DC=ac-arcueil,DC=fr GroupPolicy_VPN_DAF
map-value memberOf CN=vpn_vip,CN=Users,OU=stbu,DC=cisco,DC=com GroupPolicy_VPN_VIP

in "debug ldap 255" I can see :

memberOf: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=ac-arcueil,DC=fr
[135] mapped to Group-Policy: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=a c-arcueil,DC=fr
[135] mapped to LDAP-Class: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=ac- arcueil,DC=fr

Hi  @Rob Ingram 

thank you again for searching with me.

I created a new attribute-map with the right information :

(see attached)

and now jsnow can connect again to all profiles (DAF and VIP), whe he connect to VIP (he is normally not authorised to) I can see that he is saiigned to the right group policy (DAF) but bad tunnel group (VPN-VIP)

ned to the right group policy (DAF) but bad tunnel group (VPN-VIP)

(I omitted my public Ip)

(see attached)

In ldap debug I can see that he match the DAF grouppolicy:

memberOf: value = CN=vpn_daf,OU=GROUPES,DC=in,DC=ac-arcueil,DC=fr
[170] mapped to Group-Policy: value = GroupPolicy_VPN_DAF
[170] mapped to LDAP-Class: value = GroupPolicy_VPN_DAF

in my config , default group is NOACCESS for all profiles :

(see attached)

and simultaneous login = 0

(see attached)

but for other groups it's = 3

(see attached)

ii still could not understand why it's not working

Ok I see what you are wanting now. The users are matching the correct group-policy, but they can connect to another tunnel-group, which you do not want. I've done this previously when using RADIUS, but not when using just LDAP.

You could probably use DAP to determine which tunnel-group the user is connecting from and then permit/deny if in the wrong AD group.

Please go though below steps is properly configured or not ?

Configure a NOACCESS Group-policy
You can create a NOACCESS group-policy in order to deny the VPN connection when the user is not part of any of the LDAP groups. This configuration snippet is shown for your reference:

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol IPSec webvpn
You must apply this group policy as a default group policy to the tunnel-group. This allows users who get a mapping from the LDAP attribute map, for example those who belong to a desired LDAP group, to get their desired group policies and users who do not get any mapping, for example those who do not belong to any of the desired LDAP groups, to get NOACCESS group-policy from the tunnel-group, which blocks the access for them.

Tip: Since the vpn-simultaneous-logins attribute is set to 0 here, it must be explicitly defined in all the other group-policies as well; otherwise, it will be inherited from the default group-policy for that tunnel group, which in this case is the NOACCESS policy.