Product Documentation

aaa group

Sep 12, 2016

The following operations can be performed on "aaa group":

add | rm | bind | unbind | show

add aaa group

Creates a AAA group and verifies the configuration to ensure that it is correct.

Synopsys

add aaa group <groupName> [-weight <positive_integer>]

Arguments

groupName

Name for the group. Must begin with a letter, number, or the underscore character (_), and must consist only of letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore characters. Cannot be changed after the group is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or

single quotation marks (for example, ?my aaa group? or ?my aaa

group).

weight

Weight of this group with respect to other configured aaa groups (lower the number higher the weight)

Default value: 0

Minimum value: 0

Maximum value: 65535

Example

add aaa group group_ad

rm aaa group

Removes the specified AAA group.

Synopsys

rm aaa group <groupName>

Arguments

groupName

Name of the group that you are removing.

bind aaa group

Binds the specified AAA group to the specified resource. The resource can be a user, an Intranet IP address or range, a policy, or an Intranet application.

Synopsys

bind aaa group <groupName> [-userName <string>] [-policy <string> [-priority <positive_integer>] [-gotoPriorityExpression <expression>]] [-intranetApplication <string>] [-urlName <string>] [-intranetIP <ip_addr> <netmask>] [-intranetIP6 <ip_addr|ipv6_addr|*> <numaddr>]

Arguments

groupName

Name of the group that you are binding.

userName

Bind a AAA group to the specified AAA user.

If the specified user is bound to more than one group, the group expressions are evaluated, upon authorization, to determine the appropriate action.

policy

Bind a policy to the specified AAA group.

priority

Priority to assign to the policy, as an integer. A lower number indicates a higher priority.

Required when binding a group to a policy. Not relevant to any other

type of group binding.

Minimum value: 0

intranetApplication

Bind the group to the specified intranet VPN application.

urlName

Bind the group to the specified URL.

intranetIP

Bind the group to the specified IP address or IP block.

Normally you would bind the group to an IP address or range that your users use to access intranet resources.

netmask

Subnet mask specifying an IP-address range to which to bind a AAA group.

gotoPriorityExpression

Expression or other value specifying the next policy to evaluate if the current policy evaluates to TRUE. Specify one of the following values:

* NEXT - Evaluate the policy with the next higher priority number.

* END - End policy evaluation.

* USE_INVOCATION_RESULT - Applicable if this policy invokes another policy label. If the final goto in the invoked policy label has a value of END, the evaluation stops. If the final goto is anything other than END, the current policy label performs a NEXT.

* A default syntax or classic expression that evaluates to a number.

If you specify an expression, the number to which it evaluates determines the next policy to evaluate, as follows:

* If the expression evaluates to a higher numbered priority, the policy with that priority is evaluated next.

* If the expression evaluates to the priority of the current policy, the policy with the next higher numbered priority is evaluated next.

* If the expression evaluates to a number that is larger than the largest numbered priority, policy evaluation ends.

An UNDEF event is triggered if:

* The expression is invalid.

* The expression evaluates to a priority number that is numerically lower than the current policy's priority.

* The expression evaluates to a priority number that is between the current policy's priority number (say, 30) and the highest priority number (say, 100), but does not match any configured priority number (for example, the expression evaluates to the number 85). This example assumes that the priority number increments by 10 for every successive policy, and therefore a priority number of 85 does not exist in the policy label.

intranetIP6

Bind the group to the specified IP6 address or IP block.

Normally you would bind the group to an IP6 address or range that your users use to access intranet resources.

numaddr

Number of ipv6 address to be bound

Minimum value: 1

Example

To bind an Intranet IP to the group engg:  bind aaa group engg  -intranetip 10.102.10.0 255.255.255.0

unbind aaa group

Unbinds the specified AAA group from the specified resource. The resource can be a user, an intranet IP address or range, a policy, or an intranet application.

Synopsys

unbind aaa group <groupName> [-userName <string> ...] [-policy <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetIP <ip_addr> <netmask>] [-intranetIP6 <ip_addr|ipv6_addr|*> [<numaddr>]]

Arguments

groupName

Name of the group that you are unbinding.

userName

Unbind the specified AAA group from the specified AAA user.

policy

Unbind the specified policy from the specified AAA group.

intranetApplication

Unbind the specified group from the specified intranet VPN application.

urlName

Unbind the specified group from the specified URL.

intranetIP

Unbind the specified group from the specified IP address or IP block.

netmask

Subnet mask for the IP range in which the intranet application from which you are unbinding the policy resides.

Required if the intranet application has multiple IP addresses bound to it. Not needed if the intranet application resides on a single IP address.

intranetIP6

IP6 address of the intranet application to which you are unbinding the policy.

numaddr

Number of addresses for the IPv6 range in which the intranet application to which you are binding the policy resides.

Required if the intranet application has multiple IPv6 addresses bound to

it. Not needed if the intranet application resides on a single IP

address.

Minimum value: 1

Example

 unbind aaa group engg -intranetip 10.102.10.0 255.255.255.0

show aaa group

Displays the current configuration of a AAA group.

Synopsys

show aaa group [<groupName>] [-loggedIn] [-weight <positive_integer>]

Arguments

groupName

Name of the group.

loggedIn

Display only the group members who are currently logged in.

weight

Weight of this group with respect to other configured aaa groups (lower the number higher the weight)

Default value: 0

Minimum value: 0

Maximum value: 65535

Outputs

userName

The user name.

policy

The policy name.

priority

Priority to assign to the policy, as an integer. A lower number indicates a higher priority.

Required when binding a group to a policy. Not relevant to any other

type of group binding.

intranetApplication

Bind the group to the specified intranet VPN application.

urlName

The intranet url

actType

intranetIP

The Intranet IP(s) bound to the group

netmask

The netmask for the Intranet IP

intranetIP6

The Intranet IP6(s) bound to the group

numaddr

Numbers of ipv6 address bound starting with intranetip6

policySubType

stateflag

gotoPriorityExpression

Expression specifying the priority of the next policy which will get evaluated if the current policy rule evaluates to TRUE.

devno

count

Example

> show aaa group engg         GroupName: engg          Bound AAA users:         UserName: joe         UserName: jane          Intranetip IP: 10.102.10.0      Netmask: 255.255.255.0  Done >