Forum Discussion
How to add assign VPN IP based on AD group membership
Hi Team ,
How to configure a policy to allocate a different VPN subnet based on the AD membership .
Exapmle :
Users who are part of AD group US_AD_F5 should get IP from 10.10.10.0/24
Users who are part of AD group UK_AD_F5 should get IP from 10.10.20.0/24
4 Replies
Create two lease pools. One for 10.10.10.0/24 (i.e. lease-pool-us) and one for 10.10.20.0/24 (lease-pool-uk). Then create two Network Access resources, one for us, one for uk and use the corresponding lease pool in it.
then create a visual policy with different paths for different AD groups, in the one path do the Network Access assignment for us and in the other do the uk assignment.
Thanks for the reply ...
So I have to create AD query with multiple (3) fallback : one for US_AD_F5 & one for UK_AD_F5 and ast fallback is DENY .
Hi,
You can also set the ADQuery agent with a single "Successful" branch (configured with the expression "AD Query has passed") and leverage the AD Group Resource Assign agent: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-ad-group-resource-assign.html
Regards,
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com