For using AAA Groups in policy expressions, it is mandatory to have the groups added in ADC. This is applicable for all expressions evaluated after the authentication flow is completed.

For example, if a user is part of a LDAP Group "Finance" and you want to have a policy expression like so (e.g. rewrite / responder or any other policy)

AAA.USER.IS_MEMBER_OF("Finance")

OR

AAA.USER.GROUPS.CONTAINS("Finance")

You should have the group “Finance” added to the ADC configuration, below are the steps to do it

CLI:

add aaa group Finance

GUI:

Citrix Gateway > User Administration > AAA Groups > ADD

Type the Group name and hit OK      

Following are the expressions generally used to evaluate a user’s Group membership, and the above-mentioned requirement applies to all of them.

AAA.USER.IS_MEMBER_OF()

AAA.USER.GROUPS()

AAA.USER.IS_MEMBER_OF_ANY()

AAA.USER.IS_MEMBER_OF_ALL()

AAA.USER.INTERNAL_GROUPS()

AAA.USER.EXTERNAL_GROUPS()

Note: This requirement was always applicable for CVPN and Full VPN Use cases, starting the following versions this requirement is also applicable for ICA Proxy Use case

12.1.57.x