Jump to content
Welcome to our new Citrix community!

Problem working out AAA expression syntax to identify member of one of two groups


Pedro Silva

Recommended Posts

I am having an issue with the expression syntax for identifying if a user is a member, or not a member of one of two groups.

 

Using Classic syntax to identify group members this works -> HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 1 Users")

 

Likewise this works if I want to identify users that are not a member of the group -> HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 1 Users").NOT

 

However if I try to identify users of Group 1 OR Group 2 I can't get it to work.

 

I am trying

 

HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 1 Users")||HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 2 Users")

 

or

 

HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 1 Users").NOT||HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 2 Users").NOT

 

but it doesn't appear to hit this policy.

 

aaa.debug shows the group is correctly identified so I think this is a syntax issue?

 

I see there is a IS_MEMBER_OF_ANY options but I couldn't identify the right syntax and I think that does not work with Classic policies. I have a working configuration so would prefer to not have to convert all the policies over.

 

We are running NS13.0

 

Thanks

P

 

 

Link to comment
Share on other sites

In addition to Carl's statements, you must also create the group as a AAA Group on system for the match to work. 

 

If your positive assertion is a member of either Group A or Group B

Then the opposite negative assertion may have to be !(GroupA or GroupB) which is also !GroupA && !GroupB, which would trigger for everyone else.

HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 1 Users").NOT && HTTP.REQ.USER.IS_MEMBER_OF("GG - Group 2 Users").NOT

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...