How to add assign VPN IP based on AD group membership

Question

Hi Team ,&nbsp;How to configure a policy to allocate a different VPN subnet based on the AD membership .&nbsp;Exapmle :Users who are part of AD group US_AD_F5 should get IP from 10.10.10.0/24Users who are part of AD group UK_AD_F5 should get IP from 10.10.20.0/24&nbsp;&nbsp; &nbsp; &nbsp;

boneyard · Answer

Create two lease pools. One for 10.10.10.0/24 (i.e. lease-pool-us) and one for 10.10.20.0/24 (lease-pool-uk). Then create two Network Access resources, one for us, one for uk and use the corresponding lease pool in it.
then create a visual policy with different paths for different AD groups, in the one path do the Network Access assignment for us and in the other do the uk assignment.

blue_whale · Answer

Thanks for the reply ...&nbsp;So I have to create AD query with multiple (3) fallback : one for&nbsp;US_AD_F5 &amp; one for&nbsp;UK_AD_F5 and ast fallback is DENY .&nbsp;

scot_jc · Answer

Hi,
You can also set the ADQuery agent with a single "Successful" branch (configured with the expression "AD Query has passed") and leverage the AD Group Resource Assign agent:&nbsp;https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-visual-policy-editor/access-policy-item-reference/about-assignment-items/about-ad-group-resource-assign.html
Regards,

boneyard · Answer

That would work yes. Did you get this worked out? If so please flag the question as answered.

Forum Discussion

How to add assign VPN IP based on AD group membership

4 Replies

Recent Discussions

Can iRule be used to perform exception of IPI category based on Geolocation

Monitor string query

Telemetry streaming to Elasticsearch

Error while running ansible

SSL protocol mismatch

Related Content

APM variable assign examples

Mitigating OWASP API Security Risk: Mass Assignment using F5 XC Platform

Demystifying Time-based OTP

Cookie-based DDoS protection

iRule based RADIUS Client Stack