Here is the concerns prompting this question. Currently people with remote access have to change their passwords more frequently than those without remote access. The business owners hat this and want to have password schanged every 6 months or some such. My concern is that those with remote access (many of whom are technically challenged) will sit down at a computer that has some sort of key logger on it and the password is then in the wild. To minimize this I make them change their passwords every 40 days.
Here is what I would like to do to minimize this risk and allow for longer password change periods.
I want the initial look to be baswed on user name only and run through host checker policies
Is this possible (SA2500 running version 8.0r5 I may try to update this weekend to latest 8.0rX). I don't do this often so don't assume I know what I'm doing. It's been 5 or 6 years since I set up the box and now I've got to re-learn all the ins and outs.
If your primary concern is keyloggers, I would suggest that you could leave the password policies alone and instead add-on OPSWAT Gears for keylogger detection.
It's a common use case for customers integrating SSL VPN with our endpoint posture checker to look for advanced compliance items (disk encryption for example) as well as performing a fast PUA and malware scan.
Check out the attached video showing how it can be added to host checker.
Sale pitch aside..
If you do not want users to be presented with a login dialog if they fail host checker evaluation, you need to have your Host Checker policy enabled for both 'Evaluate' and 'Require and Enforce' at the realm level. If you only evaluate at the realm level and enforce at the role level, the users will be allowed to complete the login before the policy is enforced.
There really isn't any 'if, then, else' logic in host checker evaluation. You're really limited to 'and' style logic (i.e. require both this rule/policy and that rule/policy) or 'or' style logic (i.e. require either this rule/policy or that rule/policy).
If you want to allow users to login if they either match a list of MAC address or have appropriate AV software, there are two possibilities:
Which approach is better for you will depend on if you use the policies elsewhere in the configuration (e.g. role mapping rules, conditional rewriting rules, etc.). You should also consider the slightly different user experience and logging results for the two approaches.
If you really want to, you can get pretty sofisticated with this by combining both types ('and' policies with 'or' rules, 'or' policies with 'and' rule). In my opinion, simpler is better.