CirrocumulusHi Team ,
How to configure a policy to allocate a different VPN subnet based on the AD membership .
Exapmle :
Users who are part of AD group US_AD_F5 should get IP from 10.10.10.0/24
Users who are part of AD group UK_AD_F5 should get IP from 10.10.20.0/24
MVPCreate two lease pools. One for 10.10.10.0/24 (i.e. lease-pool-us) and one for 10.10.20.0/24 (lease-pool-uk). Then create two Network Access resources, one for us, one for uk and use the corresponding lease pool in it.
then create a visual policy with different paths for different AD groups, in the one path do the Network Access assignment for us and in the other do the uk assignment.
CirrocumulusThanks for the reply ...
So I have to create AD query with multiple (3) fallback : one for US_AD_F5 & one for UK_AD_F5 and ast fallback is DENY .
EmployeeHi,
You can also set the ADQuery agent with a single "Successful" branch (configured with the expression "AD Query has passed") and leverage the AD Group Resource Assign agent: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-ad-group-resource-assign.html
Regards,