I have setup my users to authenticate via ldap for RA VPN on my ASA 5520. The users get logged in without any issues and get the correct information but I found the users are able to login under another group name. Originally I was using the tunnel-lock option when they were local users but now that appears to not be working anymore. I've setup the mapping to authenticate the users against AD with ldap, and retrieve the memberOf value and map this to the IETF-Class value. Is their something I'm missing?