Hello, I have configured remote access vpn on asa with ldap authentication. But I can't limit vpn access with specific ldap group.

Here is my config:

aaa-server AZPBTDC01 (DC_Internal) host 192.168.10.250
ldap-base-dn dc=company, dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Netuser, ou=Services users, ou=ASM HQ, dc=company, dc=com
server-type microsoft
ldap-attribute-map AZPBTDC01

ldap attribute-map AZPBTDC01
map-name memberOf Group-Policy
map-value memberOf "CN=VPN_Admin,OU=ASM Group,OU=ASM HQ,DC=company,DC=com" RA_ADMIN_GP

group-policy NOACCESS internal
group-policy NOACCESS attributes
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 ssl-client
address-pools none

group-policy RA_ADMIN_GP internal
group-policy RA_ADMIN_GP attributes
dns-server value 192.168.10.251
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSEC_RA_ACL_ADMIN

tunnel-group DefaultRAGroup general-attributes
default-group-policy NOACCESS

tunnel-group IPSEC_RA_ADMIN type remote-access
tunnel-group IPSEC_RA_ADMIN general-attributes
authentication-server-group AZPBTDC01 LOCAL
authorization-server-group AZPBTDC01
default-group-policy RA_ADMIN_GP

The problem is, all domen users can connect to vpn. ASA does not filter group assignment, non VPN_Admin group users can connect, but thet should not be able to connect.