Monday, December 26, 2016

Restrict AGEE users from specific IP

Writing after Feb 2016 . What I am going to write about ? Today I am going to show the way to restrict set of Internet users accessing AGEE URL  
Here is the use case behind it. There are set of users  who need to be restrict to access AGEE URL over internet so that they access it when trying from specific subnet . At the same time other users should be allowed to access from anywhere. How can we achieve this?
We thought of using AAA group and restricting it using session policy. We created two AAA group matching AD group, one which needs to be restricted and other unrestricted.
image
Now we created two policies . One which has AD group allowed only from specific set of IP . So how it’s expression looks like ?
image
And if you look at the session profile , we have bind this AD group under Gateway session profile –>security –>Advance –>
image
For the other set of we mapped the other profile with no IP is defined and profile is tagged to different set of session policy
image
Once this is created we have to check if the policy is getting hit when user try to access we will use following command  “ nsconmsg -g pol_hits -d current “
image
Please provide feedback so that we can improve incase needed.