How does the Cisco ASA use Active Directory to authorize VPN users?

A.
It queries the Active Directory server for a specific attribute for the specified user.

B.
It sends the username and password to retrieve an ACCEPT or REJECT message from the Active
Directory server.

C.
It downloads and stores the Active Directory database to query for future authorization requests.

D.
It redirects requests to the Active Directory server defined for the VPN group.

Explanation:
BD
?
When ASA needs to authenticate a user to the configured LDAP server, it first tries to login using the login DN
provided. After successful login to the LDAP server, ASA sends a search query for the username provided by
the VPN user. This search query is created based on the naming attribute provided in the configuration. LDAP
replies to the query with the complete DN of the user. At this stage ASA sends a second login attempt to the
LDAP server. In this attempt, ASA tries to login to the LDAP server using the VPN user’s full DN and password
provided by the user. A successful login to the LDAP server will indicate that the credentials provided by theVPN user are correct and the tunnel negotiation will move to the Phase 2.
Source: http://www.networkworld.com/article/2228531/cisco-subnet/using-your-active-directory-for-vpnauthentication-on-asa.html