I'm new to Juniper products and have been tasked to implement SSL access using the MAG 4610 appliance. I've got a pretty good handle on creating roles and how they are assigned to users. We have approximately 150 Active Directory groups that will be accessing the system and each will need to be mapped to a different role. The role names will mirror the AD group names. Is it possible to create a custom expression that would match the AD group with a role and if there are no matches then drop the user into a catch-all role. Ideally I'd only have one or two custom expressions to accomplish this. If someone could provide and example I'd much appreciate it, I've read a lot of documentation on custom expressions but there aren't a lot of examples. I've got the system successfully authenticating to our domain controllers and can see the groups so that part is complete. Thanks for any and all help
Have you tried using the expression groups!= ("grp1" or "grp2" or "grp3") and asisgn the all catch role if it matches this rule
you need to map each group into a role? isn't that means you need to create as many roles as your groups?
There will be a one to one match of AD group and roles. What I am trying to avoid is creating 150 seperate role mapping rules. If a customer logs into the system and is a member of AD group "Test-1" I would like to build a custom expression that maps him to the matching role of the same name. Then if there isn't a matching role name drop the user into a catch-all rule
Are these so differnt that you need 150 roles. What is differences
Each role is accessing different servers via an RDP session.
I don't believe there is any way to do the kind of role-assignment you want to do. But there may be something which would work and be very simple.
If you can store the RDP destination names or IP addresses in a multivalued attribute in the AD group structure, you should be able to define a terminal services bookmark using that variable.
My users are defined in an LDAP (not AD) which includes a multivalued field (rdpdest) which has names or addresses of the RDP destinations which they can access. I then define a terminal services profile with the name and server name/address being "<userAttr.rdpdest>". This generates a terminal services bookmark for each value of the field.
In my case, these destinations are associated with an individual, but I assume you might be able to do something like that to associate the destinations with a group.
Do it this way, and there is only one role with RDP bookmarks. If the value of the field is null, the users could fall through to your "catch-all" role.
Can also use AD extended attributes Example follows
Must define this in server catalog.