AnyConnect LDAP

previous note
next note
We have several AnyConnect VPN tunnel groups on our ASAv.
Each tunnel group has its own authentication server group defined along with ldap attribute map.
The problem is that users who are not members of the LDAP IETF-Radius-Class are allowed to connect.
In following example, users who are not members of “CN=Sparck-VPN,OU=Sparck,OU=CBF Vendor Access,DC=cbf,DC=local” are allowed to access group-policy Corp_SPARCK_Policy

tunnel-group Corp_SPARCK type remote-access
tunnel-group Corp_SPARCK general-attributes
 address-pool anyconnect-pool-corp
 authentication-server-group Corp_SPARCK_LDAP
 default-group-policy Corp_SPARCK_Policy
tunnel-group Corp_SPARCK webvpn-attributes
 group-alias sparck enable
 group-url enable
 group-url enable
aaa-server Corp_SPARCK_LDAP protocol ldap
aaa-server Corp_SPARCK_LDAP (inside) host
 ldap-base-dn dc=cbf, dc=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn vpnauth@cbf.local
 server-type microsoft
 ldap-attribute-map Corp_SPARCK_Map
ldap attribute-map Corp_SPARCK_Map
  map-name  memberOf IETF-Radius-Class
  map-value memberOf "CN=Sparck-VPN,OU=Sparck,OU=CBF Vendor Access,DC=cbf,DC=local" Corp_SPARCK_Policy

group-policy Corp_SPARCK_Policy internal
group-policy Corp_SPARCK_Policy attributes
 dns-server value
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Corp_SPARCK_Filter
 default-domain value cbf.local
 split-tunnel-all-dns disable
 address-pools value anyconnect-pool-corp

Not sure if I have any error or misconfiguration.
Thanks everyone for the help!