Admin Policy, User Resover

Hi all,

I got a requirement that PI should authenticate AD users without typing a realm when logging in to client VPN. It works fine when putting the according LDAP resolver to a realm (mycompany) which lists all users of the company and make it default.

Now I got another requirement that different regional IT departments should only be able to roll out token of users they are responsible for (a part of the realm mycompany).

e.g. admin realm @it-frankfurt → access to AD group “frankfurt users” as a sub-part of the default LDAP group “mycompany” only.

I played around with an admin policy where I put the it-frankfurt realm as an admin realm (added “it-frankfurt” to SUPERUSER_REALM) and tried to limit the users by a new resolver which lists the USA users only. It didn’t work obviously.

It there a way to do this?

Thanks in advance.

Grüße, Guido

I think setting a user-resolver specially on the enrollment policy should (or could) work.

How did it obviously not work. You need to provide a bit more information like about your policies and what actually did happen!