SSL VPN
Reply
Contributor
vbroadwater
Posts: 25
Registered: ‎01-29-2009
0
Accepted Solution

Role Mapping by Custom Expression

Hi.  I'm currently doing a modified version of mapping roles by group membership by using a custom LDAP expression instead.  This limits what the SSL VPN is looking for and basically takes it easy(ier?) on the AD server (and its admins!).

 

Everything works great so far, but now I want to set up an 'everyone else' role for users that authenticate to the AD, yet don't match one of the specific roles.  The Custom Expression match doesn't have a "not" option like the username match does.  Any suggestions on how I can go about this?

 

 

Thanks!

Trusted Contributor
dennish
Posts: 207
Registered: ‎09-03-2008

Re: Role Mapping by Custom Expression

Never tested this, but can't you just change the = statement to != maybe ?

 

Dennis

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Role Mapping by Custom Expression

That definitely works - I use it in a number of custom expressions.
Contributor
vbroadwater
Posts: 25
Registered: ‎01-29-2009
0

Re: Role Mapping by Custom Expression

Brilliant!  I was definitely thinking too complex...  But while that should work, it doesn't appear to be working correctly.  My main goal is to have everyone get this 'catch all' role except for users that match to a particular 'web only' type of access role because I don't want them to get Network Connect.  So I created two new expressions to negate the ones that match to those users.  The expressions look like this:

 

ntdomain != "domain1"

ntdomain != "domain2"

 

But when I made adjustments to it this morning and refreshed the roles for the realm, everyone was assgined this 'catch all' role, including the ones that I don't want to get it.  Or should I be waiting for someone to re-login to see how the new role mapping actually plays out?

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008

Re: Role Mapping by Custom Expression

I think the issue is your logic.  If you create two expressions -

 

ntdomain != "domain1"

ntdomain != "domain2"

 

and then use both those in the role mapping configuration, then all users will match one or both of those expressions.  The users in "domain1" will match the second expression and the users in "domain2" will match the first expression.  Try a single expression -

 

(ntdomain != "domain1") AND (ntdomain != "domain2")

 

Ken

Contributor
vbroadwater
Posts: 25
Registered: ‎01-29-2009
0

Re: Role Mapping by Custom Expression

Looks like that did it!  Clearly I'm not too good with expressions.  :smileyhappy:  Thanks for the help!!!
Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Role Mapping by Custom Expression

One more note - the policy tracing feature is invaluable in finding out why things like this are not working.  I'm guessing that the policy trace would have shown you which expression a user was matching, and you would have figured it out.  Most of what I know about custom expressions I learned from the policy trace.
Contributor
vbroadwater
Posts: 25
Registered: ‎01-29-2009
0

Re: Role Mapping by Custom Expression

Absolutely agree about the policy tracing.  It really helped me out a TON when I was first setting up this device last year.  Unfortuantely for this issue, I never know when (or who) someone is going to try to log in on order to set up the trace, plus they're overseas so we have a time difference issue going on as well.

 

But all's good now.  Thanks again!  :smileyhappy:

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.