You want to create Network Connect roles for each range you wish to assign, and then create NC connection profiles and assign them to the roles. The use role mapping at the realm level to assign users to roles based on the AD group to which they belong.

Ken

Great thanks I will look into that later - I also need to tie in RSA as well.

Thanks

Roger

One more quesion?

Under Role Mapping how do I specify and AD Group attribute?

Thanks

Roger

If you are using AD as your authorization server you can only map against the group itself, not against any AD attributes. If you switch to LDAP against your AD for authorization you have the ability to use your various AD attributes for role assigment. AD for authorization is fine if all y ou want is groups for mapping - not good for any real granular role mapping definitions. LDAP is much, much better.

If i understand you right, you use

AD-Username

AD-Password

RSA Token Number

for Authentication.

Your goal is to use AD Groups to give IPs to the Users according to their membership in one of these AD groups.

I use IAS Radiusserver for Authentication of AD Users.

In RAS Policies of IAS Server you can define easily Windowsgroup as a condition which has to match.

When for example RAS Policy 1 (User must be member of Windows Group "VPN-1") matches, in that RAS Policy under "Profile"... "Advanced" you can define Radius Returning Attribute "Class (25)" with a value like "VPN-1"

Then, on IVE Realm Level, Rolemapping, you can use user attributes (what are in this case the radius returning attributes) to map the user to a IVE Role like "VPN-1 Role".

If User attribute Class (25) has value "VPN-1" then map the user to IVE Role "VPN-1".

And on Resource Policies on IVE...Network Connect... Profiles you can configure mapping of an IP-Network to the IVE User Role "VPN-1".

I think «this is the most stable and even easy to configure and maintain solution for your scenario.