This article will describe how to configure responder policy to restrict access to storefront via gateway based on login username, and also explain the difference between expression "AAA.USER.LOGIN_NAME" and "AAA.LOGIN.USERNAME".

---

Instructions

1. Make sure that responder feature is enabled;


2. Create a responder policy with drop action and using following expression syntax:

AAA.USER.LOGIN_NAME.SET_TEXT_MODE(IGNORECASE).EQ("STAFF1")



3. Bind the policy to gateway vserver.

Note: 

• After successfully login gateway, ADC will extract the login username as lowercase in gateway session, so you need ensure that the login username in expression is lowercase, or you can use SET_TEXT_MODE(IGNORECASE) to be case insensitive;

For example, the login username here is "STAFF1", but after successfully login, it will be lowercased in gateway session:

Dec 25 07:40:39 <local0.info> 192.168.3.100 12/25/2022:07:40:39 GMT  0-PPE-0 : default SSLVPN Message 3054 0 :  "AAAD API: aaad_authenticate_req: sending login req to aaad for <STAFF1>, factor <>, auth type 0, trans id 1394"
Dec 25 07:40:39 <local0.info> 192.168.3.100 12/25/2022:07:40:39 GMT  0-PPE-0 : default SSLVPN LOGIN 3063 0 : Context staff1@a.a.a.a - SessionId: 5 - User staff1 - Client_ip a.a.a.a - Nat_ip "Mapped Ip" - Vserver b.b.b.b:443 - Browser_type "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" - SSLVPN_client_type ICA - Group(s) "N/A"
Dec 25 07:40:39 <local0.info> 192.168.3.100 12/25/2022:07:40:39 GMT  0-PPE-0 : default SSLVPN HTTPREQUEST 3064 0 : Context staff1@a.a.a.a - SessionId: 5 - vpn.ww.local User staff1 : Group(s) N/A : Vserver b.b.b.b:443 - 12/25/2022:07:40:39 GMT : SSO is ON : GET /Citrix/storeWeb - -

• "AAA.LOGIN.USERNAME" is used to extract username in login request information, it is case sensitive;
• HTTP.REQ.USER has been deprecated, it equals AAA.USER.