Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

how do i use an active directory group for vpn and not all user

hi all,

i have an asa 5515x...

how do i use a particular group in active directory to have vpn/anyconnect access?  right now i believe it's for all user on my current config,


!integrate with active directory

aaa-server LDAPSERVERS protocol ldap

aaa-server LDAPSERVERS (vlan192) host

ldap-base-dn dc=company,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password 12345678

ldap-login-dn cn=administrator,cn=Users,dc=company,dc=com

server-type auto-detect


say i want this "vpn-group" object group in AD and my vpn is only anyconnect and no other vpn types.

thanks for any comment you may add.

Hall of Fame Super Silver

how do i use an active directory group for vpn and not all user

The best way is to use Dynamic Access Policies (DAP). Cisco has a white paper (here) that shows how one can choose the LDAP group as one of the DAP criteria.

DAP requires the Advanced Endpoint Assessment feature, so your licensing must support that.

CreatePlease to create content