What I have:
On ASA I have an Anyconnect Connect Profile, in this profile, I have a default Policy (the system is forcing me to add one policy, I have a URL https://url1/radius and the AAA is Radius.
On RSA (RADIUS Server) I have the agent that communicates with the ASA (is working ok) I am able to authenticate all the users from MY RSA Server to VPN.
I have two profile Profile1 Return List Attributes: Cisco-AVPAIR[M][O] ou=POLICY1
Profile2 Return List Attributes: Cisco-AVPAIR[M][O] ou=POLICY2
I have assigned the Profile1 to user 1 and Profile2 to user2
and I have checked the options Sent user's RADIUS Profile when both user and agent have profiles assigned to them
But still, both user1 and user2 when are using https://url1/radius they have the default policy for authorization, not the POLICY1 or POLICY2
What I am doing wrong?
Start with:
Get a packet capture on the traffic, and check the return packet payload for the return attributes, verify the RSA server is sending what you expect it to send.
Here is an example where I just added two AVPAIR to a user and see it in the radius access-accept response packet.
Another way to check, is use NTRADPING 1.5 and set this up as a new radius client and agent, make/model Cisco IOS 11.1, and use this to do test authentications with a user and token. NTRADPING has a decode on radius reply, which would show any return attributes sent over.