Cisco ASA 5520 anyconnect/SSL VPN connect to Microsoft AD with security groups

I have a cisco anyconnect vpn setup on my ASA connecting to a 2008 AD server.  Users can successfully login with their AD account to the vpn and access the networks that I specify.  What I actually need is for the users to be denied access if they are not part of a security group that I specify.  I have an ldap-attribute-map setup and I even debug the login process and can verify that it is indeed tagging the correct user with the attribute map info.  Here is the config..

ldap attribute-map STRMLINE-VPN
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=SSLAccess,CN=Users,DC=(dcname),DC=(dcname),DC=priv SSLAccess
  map-value memberOf FALSE NOACCESS
dynamic-access-policy-record NOACCESS
 action terminate
dynamic-access-policy-record SSLAccess
 priority 1
  svc ask none default svc
aaa-server LDAP-STRMLINE protocol ldap
 server-port 389
 ldap-base-dn DC=(dcname),DC=(dcname),DC=PRIV
 ldap-group-base-dn CN=SSLAccess,CN=Users,DC=(dcname),DC=(dcname),DC=priv
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn cn=asaldap,cn=Users,dc=(dcname),dc=(dcname),dc=priv
 server-type microsoft
 ldap-attribute-map STRMLINE-VPN
group-policy SSLAccess internal
group-policy SSLAccess attributes
 vpn-idle-timeout 30
 vpn-filter value EMPLOYEE-VPNTUNNEL
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 address-pools value EMPLOYEEVPNPOOL
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect ssl compression none
  anyconnect ask enable default anyconnect timeout 20
group-policy NOACCESS internal
group-policy NOACCESS attributes
 vpn-simultaneous-logins 0
 vpn-tunnel-protocol ssl-client
tunnel-group SSLAccess type remote-access
tunnel-group SSLAccess general-attributes
 authentication-server-group LDAP-STRMLINE
 default-group-policy SSLAccess
tunnel-group SSLAccess webvpn-attributes
 group-alias EMPLOYEES enable

It also works if I create an OU and place users inside and then change the AAA, ldap scope onelevel and point it there.  The name of the security group is SSLAccess.  Any assistance would be appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob KnightConsultantCommented:

You can achieve the same sort of functionality using Dynamic Access policies.

Here you can set the default setting to block and then create a new role which allows a connection.

You can specify AD group as an LDAP attribute for enforcement and could optionally, lock them to group policy, for example.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MrPowellAuthor Commented:
I do have DAP listed above in my config, im sure its not correct, I just needed a nudge in the right direction as far as what the config says for DAP
Rob KnightConsultantCommented:

Please see rc172 post about half-way down to help with the settings:

This is using ASDM which I found very helpful with DAP

Kind regards,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.