Forum Discussion
CirrocumulusHow to add assign VPN IP based on AD group membership
Hi Team ,
How to configure a policy to allocate a different VPN subnet based on the AD membership .
Exapmle :
Users who are part of AD group US_AD_F5 should get IP from 10.10.10.0/24
Users who are part of AD group UK_AD_F5 should get IP from 10.10.20.0/24
4 Replies
- boneyard
MVP
Create two lease pools. One for 10.10.10.0/24 (i.e. lease-pool-us) and one for 10.10.20.0/24 (lease-pool-uk). Then create two Network Access resources, one for us, one for uk and use the corresponding lease pool in it.
then create a visual policy with different paths for different AD groups, in the one path do the Network Access assignment for us and in the other do the uk assignment.
Blue_whaleThanks for the reply ...
So I have to create AD query with multiple (3) fallback : one for US_AD_F5 & one for UK_AD_F5 and ast fallback is DENY .
Scot_JCEmployee
Hi,
You can also set the ADQuery agent with a single "Successful" branch (configured with the expression "AD Query has passed") and leverage the AD Group Resource Assign agent: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-ad-group-resource-assign.html
Regards,
