Hi,

Please see this configuration example.

ldap attribute-map memberOf
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=VPN,CN=Users,DC=cisco,DC=com CAC-Users

aaa-server LDAP protocol ldap
aaa-server LDAP (outside) host 192.168.250.27
ldap-base-dn DC=cisco,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn CN=asaldap,CN=Users,DC=cisco,DC=com
server-type microsoft
ldap-attribute-map memberOf

tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPN
authorization-server-group LDAP
authorization-required
username-from-certificate CN
tunnel-group vpnclient ipsec-attributes
trust-point LDAP
isakmp ikev1-user-authentication none

group-policy CAC-Users internal
group-policy CAC-Users attributes
dns-server value 192.168.250.27
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

If you have any question let me know.