Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How to add assign VPN IP based on AD group membership

Sarovani
Cirrocumulus
Cirrocumulus

‎29-Oct-2022 12:18

Hi Team , 

How to configure a policy to allocate a different VPN subnet based on the AD membership . 

Exapmle :

Users who are part of AD group US_AD_F5 should get IP from 10.10.10.0/24

Users who are part of AD group UK_AD_F5 should get IP from 10.10.20.0/24

 

     

Labels:
0 Kudos
4 REPLIES 4

boneyard
MVP
MVP

‎30-Oct-2022 06:43

Create two lease pools. One for 10.10.10.0/24 (i.e. lease-pool-us) and one for 10.10.20.0/24 (lease-pool-uk). Then create two Network Access resources, one for us, one for uk and use the corresponding lease pool in it.

then create a visual policy with different paths for different AD groups, in the one path do the Network Access assignment for us and in the other do the uk assignment.

0 Kudos

Sarovani
Cirrocumulus
Cirrocumulus
In response to boneyard

‎30-Oct-2022 09:53

Thanks for the reply ...

 

So I have to create AD query with multiple (3) fallback : one for US_AD_F5 & one for UK_AD_F5 and ast fallback is DENY . 

0 Kudos

Scot_JC
F5 Employee
F5 Employee
In response to Sarovani

‎18-Nov-2022 11:06

Hi,

You can also set the ADQuery agent with a single "Successful" branch (configured with the expression "AD Query has passed") and leverage the AD Group Resource Assign agent: https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-...

Regards,

0 Kudos

boneyard
MVP
MVP
In response to Sarovani

‎27-Nov-2022 07:26

That would work yes. Did you get this worked out? If so please flag the question as answered.

0 Kudos
Copyright © 2023 Khoros, LLC