Re: Host Checker check for source IP Address

CNIDog_ · ‎02-04-2008

Can Host Checker be programmed to check for the source IP address of an incoming connection? I have some users who are allowed to connect from any address, and some who are only allowed to connect from (four) specific addresses. For those restricted users, I want to be able to identify their incoming connections by the source address and then authenticate them (or not) and place them into a role based on the source address. I thought that maybe I could use Host Checker to satisfy this requirement, but I'm not sure how to do it.

Thank you in advance.

mk_ · ‎02-04-2008

You could achieve this with a custom expression during role mapping:

"The IP address of the machine on which the user authenticates.
Caveat: In the resource policy, netmask can be specified using the bit number or in the netmask format '255.255.0.0'"

Base on this you can assign the role to the restricted users.

CNIDog_ · ‎02-04-2008

Thank you. I assumed there was a way to satisfy this requirement. The connections will be coming from one of four IP addresses. These source addresses will be NAT-ed addresses that have passed through a firewall. I'm assuming that a resource policy can be written that will look at the incoming packet's source IP address? I have not done this before. Do you know what version of code is required on the SSL VPN appliance? And do you know where I might find an example of such a policy?

kmaybe_ · ‎02-20-2008

There is also another way to achieve this task.

You can use the IP restriction feature on the authentication policy of the role or realm to allow or deny users sign-in access based on their source IP address.

Just browse to User Realms --> <realmName> --> Authentication Policy --> Source IP
or
User Roles --> <roleName> --> General --> Restrictions --> Source IP
and add the IP addresses you want to allow or deny.

Because you only have a small number of IP address that you need to allow or restrict access for, using this policy to do it would also be a good option since it would be easy to setup and maintain.

I do not discourage the use of Host Checker, however. It's got some powerful capabilities and should not be overlooked.

Karen

Ray_ · ‎03-07-2008

Is there a way to do this on a Mac or a Linux box? Since the host checker is so limited for non-Windows computers, we want to at least check to make sure these users are behind a router. I would like to check to make sure that the computer they're using has a private IP address.

Thanks,

Ray

CNIDog_ · ‎03-10-2008

Ray,

If you are having issues with Host Checker on Mac and Linux devic es, you can do as kmaybe suggested also in this thread:

You can use the IP restriction feature on the authentication policy of the role or realm to allow or deny users sign-in access based on their source IP address.

Just browse to User Realms --> --> Authentication Policy --> Source IP
or
User Roles --> --> General --> Restrictions --> Source IP
and add the IP addresses you want to allow or deny.

Regards,

Ray_ · ‎03-10-2008

Thanks for the reply, DAK.

Unfortunately that only works based on their public IP address. I want to block access if the IP address assigned to their computer is not a private IP address if they are using a Mac or Linux. If they're behind a hardware firewall, they would have a private IP address on the computer itself.

There really is no host checker on those operating systems, in my opinion. How tough would it be for Juniper to give us ready-made anti-virus or firewall checks for the dozen or so products that are commercially available for Macs or Linux? I'm not an endpoint security expert. I shouldn't be writing my own because that's the best way to make a mistake.

Ray

zanyterp_ · ‎07-02-2012

No, IP addresses cannot be checked on non-windows machines.
With 7.2 there are pre-defined AV checks for Mac