cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication question

Dan_Wells_
New Contributor

Authentication question

Here is the concerns prompting this question. Currently people with remote access have to change their passwords more frequently than those without remote access. The business owners hat this and want to have password schanged every 6 months or some such. My concern is that those with remote access (many of whom are technically challenged) will sit down at a computer that has some sort of key logger on it and the password is then in the wild. To minimize this I make them change their passwords every 40 days.

Here is what I would like to do to minimize this risk and allow for longer password change periods.

I want the initial look to be baswed on user name only and run through host checker policies

  1. Is the computer on a MAC address list (is it one of ours)
  2. IF it isn't one of ours I want host checker to see if anti-virus / anti-spyware and firewall rules are met
  3. IF all this checks out then allow them to present both user name and password and authenticate into the the VPN.

Is this possible (SA2500 running version 8.0r5 I may try to update this weekend to latest 8.0rX). I don't do this often so don't assume I know what I'm doing. It's been 5 or 6 years since I set up the box and now I've got to re-learn all the ins and outs.

2 REPLIES 2
adamgwinn_
New Contributor

Re: Authentication question

If your primary concern is keyloggers, I would suggest that you could leave the password policies alone and instead add-on OPSWAT Gears for keylogger detection.

It's a common use case for customers integrating SSL VPN with our endpoint posture checker to look for advanced compliance items (disk encryption for example) as well as performing a fast PUA and malware scan.

Check out the attached video showing how it can be added to host checker.

braker_
Frequent Contributor

Re: Authentication question

Sale pitch aside..

If you do not want users to be presented with a login dialog if they fail host checker evaluation, you need to have your Host Checker policy enabled for both 'Evaluate' and 'Require and Enforce' at the realm level. If you only evaluate at the realm level and enforce at the role level, the users will be allowed to complete the login before the policy is enforced.

There really isn't any 'if, then, else' logic in host checker evaluation. You're really limited to 'and' style logic (i.e. require both this rule/policy and that rule/policy) or 'or' style logic (i.e. require either this rule/policy or that rule/policy).

If you want to allow users to login if they either match a list of MAC address or have appropriate AV software, there are two possibilities:

  1. Create one Host Checker policy that has two rules; one for MAC evaluation and one for AV evaluation, and set the Host Checker policy to require 'any of the above rules'. The policy will evaulate as true if either condition is met. When you enforce at the realm level the user will be allowed to login if the policy evaluate as true.
  2. Create two separate Host Checker policies; one policy with a single rule for the MAC evaulation and one policy with a single rule for AV evaluation. At the realm level, set both policies for 'Evaluate' and 'Require and Enforce' and enable the option 'Allow access to realm if any ONE of the selected ...'. Users will be allowed to login as long as at least one of the policies evaluates as true.

Which approach is better for you will depend on if you use the policies elsewhere in the configuration (e.g. role mapping rules, conditional rewriting rules, etc.). You should also consider the slightly different user experience and logging results for the two approaches.

If you really want to, you can get pretty sofisticated with this by combining both types ('and' policies with 'or' rules, 'or' policies with 'and' rule). In my opinion, simpler is better.