I want to share a realm between Windows and Apple«s Mac users.
In this realm I would like to execute host checker with this purpose:
1. Verify whether Windows users have their AV software up to date. If not, they will not be allowed to pass
2. Let Apple Mac users pass provided that they authenticate with success.
Is this possible? I already implemented a Host Checker policy to carry out (1) but I do not know how to tell my SA2500 that I want authenticated Mac users to pass unchecked.
Any hints will be greatly appreciated.
Regards, Rogelio Alvez
Host Checker on the Mac can test for port, process or a file so you would want it to test for something unique to the Mac OS to differentiate them, I believe there have been other posts with some suggestions on what to use. You can test the browser user-agent string presented by a browser but that is modifiable by users so is not a strict test.
Thank you very much for your answer.
So in short there is no way to ask the SA to detect whether the machine is really a Mac if I do not enforce the checking of at least one variable (say it a port, a process or a file).
I imagined so but I wanted to double check.
You can use role-mapping to assign different roles for MAC and Windows users authenticating against the same realm and on the Windows role you can enable the Host Checker which would check for the AV software status.
At the Realm level you can use a HC that detects Windows OS, so all clients passing this can be mapped using Custom Expression in the Role Mapping to the Windows Role.
To detect MAC clients, you can use either a HC policy that checks for a specific port, process or file on the MAC or test the User-Agent string sent by the browser (which could be faked by Windows users attempting to by-pass the restriction on Windows users to have an up-to-date AV.) and use those results in the Role Mapping for MAC users.
See the HC Guide for more details on configuring Host Checker.