Objective
This article describes how to configure authorization policy filter based on IP address and group on NetScaler.
Background
Consider the following scenario, when a connection reaches the NetScaler Gateway VIP, the NetScaler Gateway should allow or deny access to users who are members of a particular Active Directory group. Also NetScaler should allow access to those users who are connecting from a certain subnet.
Instructions
This setup can be implement by creating groups on NetScaler. The Group names on the NetScaler Gateway should match with the names on the Active Directory server. After the Group is configured, create an Authorization policy and bind it to the Group. If the Users are a member of that Group and on the defined subnet, they are allowed access. Optionally you can also bind a Session policy to the Group.
Run the following command from the command line interface of the NetScaler:
add authorization policy auth_policy "REQ.IP.SOURCEIP == 172.16.1.0 -netmask 255.255.255.0" ALLOW
bind aaa group TechSupport -policy auth_policy -priority 100
Note: In the preceding command the group name is "TechSupport" and subnet to be allowed is "172.16.1.0/24".