Configuring Authorization Policy Filter Based on IP Address and Group on NetScaler

Background

Consider the following scenario, when a connection reaches the NetScaler Gateway VIP, the NetScaler Gateway should allow or deny access to users who are members of a particular Active Directory group. Also NetScaler should allow access to those users who are connecting from a certain subnet.

Configuring Authorization Policy Filter Based on IP Address and Group on NetScaler

This setup can be implement by creating groups on NetScaler. The Group names on the NetScaler Gateway should match with the names on the Active Directory server. After the Group is configured, create an Authorization policy and bind it to the Group. If the Users are a member of that Group and on the defined subnet, they are allowed access. Optionally you can also bind a Session policy to the Group.

Example

Run the following command from the command line interface of the NetScaler:
add authorization policy auth_policy "REQ.IP.SOURCEIP == 172.16.1.0 -netmask 255.255.255.0" ALLOW
bind aaa group TechSupport -policy auth_policy -priority 100

In the preceding command the group name is "TechSupport" and subnet to be allowed is "172.16.1.0/24".