When a user belongs of more than 10 member groups in AD, VIP Enterprise Gateway will only send the first 10 values to the VPN Gateway.  This causes the VPN Gateway (I.e., CISCO ASA) to reject the user. 
 

By default the number of response for getting an attribute value is set to 10.  

• Edit the radserv.conf file located in <VIPEG Install folder>\Validation\servers\<Validation server name>\conf.
• Locate the line server.max_attribute_in_response=10. 
• Change 10 to match or exceed the number of groups users are a part of.  
• Restart the validation server(s).
• Send a validation request. The response should now show more than 10.