On ASA we need to configure folowing config. First we configure the LDAP attribute map.
ldap attribute-map VPN-Map
map-name memberOf IETF-Radius-Class >>>>>> Define Radius class attribute.
map-value memberOf CN=DomainAdminVPN,CN=. truncated>>>>Define Group membership for user.
map-name msNPAllowDialin IETF-Radius-Class>>>>If have Dialin permission enabled and is a member of DomainAdminVPN group in AD, he would allowed access.
map-value msNPAllowDialin FALSE NoVpnAccess>>>>If Dialin permission is not checked, That user would be mapped with NoVpnAccess VPN group policy..
group-policy NoVpnAccess attributes>>>> Create group policy named NoVpnAccess.
vpn-simultaneous-logins 0 >>>> Allow 0 Logins for users of this group.
If users are not a member of the defined group (DomainAdminVPN), and their Dialin access is set to Deny, the are dropped into the NoVpnAccess group policy, which allows 0 connections.