assigning resources based on LDAP query and Group Membership

Hi,

 

I'm new to this forum, as I'm relatively new to altering F5 APM policy branches. :-)

 

We are running BIG-IP 12.1.1 (Build 1.0.196 HF1)

 

Currently, we filter contractors and employees based on your connecting IP address. If you are coming from a defined IP address, you are a contractor, and you go to this path. Else, you must be an employee, so you take this path. Employees have Imprivata VASCO tokens, so they utilize AD credentials (password+VASCO token).

 

As we seem to be dealing with more contractors, managing the IP addresses is becoming a cumbersome task. I'd like to be able to assign a token to the contractors and assign them specific resources accordingly.

 

Our logic is such that you authenticate (against Imprivata), then we strip token digits and add the domain. You then authenticate to AD (using LDAP) and are assigned your resources.

 

In a perfect world, I could use an LDAP query to check a users group membership. If you are a member of the 'ContractorA' (AD Security Group), you go this way (for your resource assignment). If you are a member of the 'ContractorB' (AD Security Group), you go this way (for your resource assignment). Else, you are an 'employee', you go this way (for your resource assignment).

 

I'm just not sure how I setup that LDAP Query box to properly direct the user to the correct resource assignment branch. Obviously, I don't want 'ContractorA' to see 'ContractorB' resources. Nor do I want 'employee' resources to be available to any defined 'Contractor*" (and vice versa)

 

I suspect this is simple, so as I continue to refine my Google skills and my DevCentral search skills to find my answer, I thought I'd post my query here. Any assistance/guidance is greatly appreciated!