Hitting multiple AD groups avoidance

Eirik Zakariassen

unread,

Jan 9, 2026, 3:48:01 AM (yesterday) Jan 9

to Event-Driven Servers

Hi again Marc.

Curious, I've tried reading the docs to figure this out, but I'm not making a working config for it.

To summarize, we have 3x different types of hardware so far, F5, Checkpoint, Aruba, all of these auth fine on their own with respective profiles if the user has only one group membership, however I'm struggling to handle users with multiple admin groups membership etc to get the right profile.

So say we have the following groups

CPadmin

CPauditor

F5admin

F5auditor

Arubaadmin

Arubaauditor

User is member of all the three admin groups (superuser working cross groups) it seems to match on first come first serve, so user will always end up in the Arubaadmin group even if he logs into an F5 device.

Is it possible to add a ruleset or script to the profile that matches the user to the right profile ? (Since they vary greatly between devices to work)

See my currently working examples with individual profiles per device, and rulesets to match profiles

ruleset {
rule {
script {
if (memberof =~ /^CN=Arubaadmin,/) { profile = aruba-admins permit }
if (memberof =~ /^CN=F5admin,/) { profile = f5-admins permit }
if (memberof =~ /^CN=CPadmin,/) { profile = cp-admin permit }
if (memberof =~ /^CN=Arubaauditor,/) { profile = aruba-auditors permit }
if (memberof =~ /^CN=F5auditor,/) { profile = f5-auditor permit }

if (memberof =~ /^CN=CPauditor,/) { profile = cp-auditor permit }
}
}
}
}

profile aruba-admins {
script {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
permit
}
}

profile f5-admins {
script {
if (service == ppp) {
if (protocol == ip) {
set F5-LTM-User-Info-1 = adm
set F5-LTM-User-Console = 1
set F5-LTM-User-Role = 0
set F5-LTM-User-Partition = all
permit
}
permit
}
}
}

profile cp-admin {
enable 15 = login
script {
if (service == pap) {
if (cmd == "") {
set priv-lvl = 15
permit
}
permit
}
}
}

device = aruba {
address file = /etc/tacplus-ng/aruba
welcome banner = "Welcome\n to the machine"
anonymous-enable = deny # ask for user authentication on enable
key = arubakey
}
device = f5 {
address file = /etc/tacplus-ng/f5
welcome banner = "Welcome\n to the machine"
anonymous-enable = deny # ask for user authentication on enable
key = f5key
}
device = checkpoint {
address file = /etc/tacplus-ng/checkpoint
welcome banner = "Welcome\n to the machine"
anonymous-enable = deny # ask for user authentication on enable
key = checkpointkey
}

Eirik Zakariassen

unread,

Jan 9, 2026, 6:24:29 AM (yesterday) Jan 9

to Event-Driven Servers

Might have solved my own problem by doing this ?

ruleset {
rule {
script {
if (device == aruba) {

if (memberof =~ /^CN=Arubaadmin,/) { profile = aruba-admins permit }

if (memberof =~ /^CN=Arubaauditor,/) { profile = aruba-auditors permit }
}

if (device == f5) {

if (memberof =~ /^CN=F5admin,/) { profile = f5-admins permit }

if (memberof =~ /^CN=F5auditor,/) { profile = f5-auditor permit }
}

if (device == checkpoint) {

if (memberof =~ /^CN=CPadmin,/) { profile = cp-admin permit }

Marc Huber

unread,

Jan 9, 2026, 8:35:20 AM (yesterday) Jan 9

to event-driv...@googlegroups.com

Hi Eirik,

yes, adding device type information using device groups or device tags is a valid option.

Tag based example:

device ... {
address = ...
tag = vendor1
}

ruleset {
rule {
script {
if (device.tag == vendor1 && memberof =~ /^.../) {
profile = ...
permit
}
}
}
}

Cheers,

Marc

--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/ff30e55b-7729-4f8a-a049-32cd6ca18dd7n%40googlegroups.com.

Reply all

Reply to author

Forward