I have an annoying result relating to Host Checkers and the "Your computer's security is unsatisfactory".
I am hoping I can make any sense here..
A User Realm associated with a URL a User is accessing has multiple Role Mapping rules, mapping various users and user groups to different Roles.
Each User Role can have it's own Restrictions such as Certificate options or different Host Checkers required.
So, among the different User Roles that may or may not be mapped to a specific user, there may be a whole bunch of different Host Checkers defined.
Image a case where one User maps to one single User Role (out of the many possible in the Realm).
The Host Checker that is specified in that User Role has passed.
The User has no other roles assigned in the Role Mapping so no other Host Checkers is valid for this user.
Still, there is a page displayed after login informing the user that other Host Checkers has failed.
Since the user has already passed "his" Host Checker, the user have the option to "Try Again" or "Continue".
Obviously the user is profoundly confused why he is told that "Your computer's security is unsatisfactory" and is shown a (potentially long) list of hos tCheckers that has failed, simply because they don't apply to him.
How to avoid this behaviour and have the host Checker only display any failure condition(s) related to the Host Checker policy applied on the User Role(s) the User is mapped to?
Obviously you have host checked set and the Role level and not at the Realm level right ?
Under the Role, General, Restrictions, Host Checker,
You have the correct Host Checker Policies selected right ? It sounds like for each role you only want 1 policy applied.
Finally, some times that error you speak of "Your computer's security is unsatisfactory" can appear because host checker failed to run. It's a bit of a bug. I'd recommend doing two things:
1- Uninstall all components on one of the affected machines. This includes Juniper browser objects. Clear all cache and cookies. Manually install host checker from the installers on the System, Installers page. Try again.
2- If it fails, start a policy trace under troubleshooting, user sessions. See exactly why the user is being denied. It could be the criteria is not selected correctly.
It's certainly possible to have only one HC Policy apply to a role. Good Luck.
Thanks for your reply.
You're right. The Host Checkers are in this scenario applied to User Roles, and not the Realm.
The issue is not that the Host Checker fails to correctly do it's job for this spepcific User and User Role.
In the case I presented the Host Checker passes for the user, no problem, and the user have the resources provided by the User Role (once the User has clicked the "Continue" button on the "You computer's security is unsatisfactory" page).
My issue is that the result of other Host Checkers, not applicable to the Users' User Role, is displayed to the user. Each time.
Those come from other User Roles used in the Realm's Role Mapping for other users.
(and since those other Host Checkers are designed for other users they will always fail in this User's PC)
It would be annoying and confusing for the user to see results from other Host Checkers and would also be untrue to tell the user that his/hers computer does not meet security requirements when those Host Checkers do not apply to the user.
So, I am looking for a way to make the Host Checker display the result(s) related Only to this User's User Role.
Are you using reason strings or custom instructions ?
If you are using reason strings I would uncheck that and enable custom instructions for each policy.
Unfortunately there is no difference in behaviour if using Custom Instructions or Reason Strings.
The user is still notified about the result of other Host Checkers.
After some further testing on our production SA6500 6.5R5 (naughty..), I need to correct one thing.
If the one Host Checker passes for the Role mapped to the user, the result of the other Host Checkers used by other roles, are not displayed. Fine.
There still the awkward situation though that if the Host Checker fails for the Role, all the results of all the other Host Checkers for the other Roles are displayed, along with the User's Role's checker.
Making it difficult for the user (and helpdesk...) to know which one actually applies to him/her.