cancel
Showing results for 
Search instead for 
Did you mean: 

Can I filter network connect/junos pluse user by Host Checker

moah99_
Not applicable

Can I filter network connect/junos pluse user by Host Checker

I would like to do the following things

   Only one sign-in page

   Using connection profile (dial up client to side VPN)

   If the PC pass the Host Checker policy, they can connect to all Internal resource, if all Host Checker policies is failed, the PC can only connect a few file server

   I can do this with two or more sign-in pages, is it able to do this on only single one sign-in page?


4 REPLIES 4
zanyterp_
Respected Contributor

Re: Can I filter network connect/junos pluse user by Host Checker

A similar option if you don't want to use custom expressions is to set host checker as required on the full access role & map to both roles on the realm. When users connect they will be unable to meet the host checker requirement and only have minimal access as desired
flip_pipe_
Frequent Contributor

Re: Can I filter network connect/junos pluse user by Host Checker

Hi,

Complementing Braker's answer.

If you need to have more role mappings which need the result of HC, you can also create a stop rule... If not have HC than stop process the role mapping.

One problem I've with this approach, is the client don't know if HC has run or not. If the HC for some reason doesn't run in the client PC (for example, he is using Google Chrome, Firefox blocking Java and so on) he will not have access to some resources, and probably will call you saing the as problems connecting to the resources.

Regards,

braker_
Frequent Contributor

Re: Can I filter network connect/junos pluse user by Host Checker

Agreed. In this approach, HC not running is the same, functionally, as not passing the HC policy since both will result in the user getting limited access. This can be confusing to the user - they don't know if its a compliance issue or a software issue.

There are a couple of way to deal with this. One approach is to create three roles - full access for compliant user, partial access for non-compliant users, and informational for HC not running users. Create a HC policy that detects any running process to differentiate between the non-compliant users and those that can't run HC due to software issues. Add a role mapping rule to match the 'any process' HC rule and map to the limited access role and have the default role mapping rule map to the informational role.

You further can enhance this by enabling the HC remediation notices to inform the user that fails compliance why they failed compliance. To do this requires a slightly different configuration.

- the first role mapping rule should match the 'any process' HC policy and map to the full access role with no Stop.

- the second role mapping rule should match the 'any process' HC policy but not the compliance HC policies and map to the partial access role.

- the third role mapping rule should not match (!=) the 'any process' HC policy and map to the informational role.
In addition, the compliance HC policies should be made a requirement on the full access role at the role level.

Using this approach

- compliant users map to the full access role only

- non-compliant user map to the full access role and the partial access role; but because the full access role requires the compliance HC policies, they will get the remediation notice and only the partial access role will be applied.

- those that can't run HC get the informational role only.

braker_
Frequent Contributor

Re: Can I filter network connect/junos pluse user by Host Checker

Absolutely.

Create a role mapping rule with a custom expression for your Host Checker policies, e.g.

   hostCheckerPolicy = 'Policy 1' or hostCheckerPolicy = 'Policy 2'
Map that rule to the full access role and move the rule to the top of the list.
Have the default rule map to the limited access access role.