F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Rise_77519's avatar
Rise_77519
Icon for Nimbostratus rankNimbostratus
Nov 01, 2013

apm question

Hi, is it possible to assign resource to users based radius attribute like nested group in active directory. for exm. i have two user group that are technical and sales in radius. if a user from tech...
design
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 04, 2013

I'm not sure I understand the question. I assumed from your first post that you wanted to perform a RADIUS auth based on user credentials, and would have the RADIUS server configured to send user attributes back in its response. If that's still the case, then you need to look at what those attributes are before you can configure anything in the APM visual policy to allow access to different resources based on them. I'd recommend creating a visual policy that does a simple allow at the end of the RADIUS auth agent. Then once you have a successful auth, run an access policy report in the GUI and see what session variables are available from the RADIUS server's response.

So for example, let's say RADIUS returns a "groupid" value, which is assigned to the session.radius.last.attr.groupid session variable (again, arbitrary for the sake of this example). In the visual policy, directly after the RADIUS auth, place an Empty agent (it's actually called that). Open it up and go to the branch rules tab. Create TWO branches (it'll 3 branches including the fallback branch). For the first branch, enter something like the following:

expr { [mcget {session.radius.last.attr.groupid}] equals "sales" }

For the second branch, enter something like the following:

expr { [mcget {session.radius.last.attr.groupid}] equals "tech" }

In the visual policy, place the appropriate full resource assignment after each respective branch of the Empty agent.