Here is the use case behind it. There are set of users who need to be restrict to access AGEE URL over internet so that they access it when trying from specific subnet . At the same time other users should be allowed to access from anywhere. How can we achieve this?
We thought of using AAA group and restricting it using session policy. We created two AAA group matching AD group, one which needs to be restricted and other unrestricted.
Now we created two policies . One which has AD group allowed only from specific set of IP . So how it’s expression looks like ?
And if you look at the session profile , we have bind this AD group under Gateway session profile –>security –>Advance –>
For the other set of we mapped the other profile with no IP is defined and profile is tagged to different set of session policy
Once this is created we have to check if the policy is getting hit when user try to access we will use following command “ nsconmsg -g pol_hits -d current “
Please provide feedback so that we can improve incase needed.
Posts
