Hi,
Thanks for your interest in our products and don't worry about the 'asking for a mile' bit as here at Juniper we love going the extra mile :-)
Maybe you have already explored these options and they did not fit your requirements however I thought I will list them out as several customers are already stopping end user's at the door (realm level enforcement) for non-compliance.
Option 1: Custom Instructions:
1. "Require and Enforce" your policies at realm level
2. Use the custom instructions to indicate detailed Remedial measures to your end users.
Option 2: Use Custom sign in page and customize Remediate.thtml - The limitation of option 1 is that its 'either all or nothing' when it comes to remediation i.e.. If you enforce multiple policies policy and if 2 or 3 of them fail then it will Remediate for all of them. However this can be controlled to a certain degree using the 'Custom Sign In Pages' framework. Specifically the file remediate.thtml contains the page that is used when Remediation pages are displayed. For example I inserted the below piece of code in the Remediate.thtml file and it will display the message only if the policy 'av1' fails.
<% IF failedPolicy.name == "av1" %>
<tr valign="top">
<td>Did not find AV1 - or your custom message here</td>
</tr>
<% END %>
This is a simple example however using the custom sign in page framework powerful custom login can be built around your requirements. For more details about custom sign in pages you may refer the admin guide and the custom sign in pages solution guide available @ http://www.juniper.net/techpubs/software/ive/6.x/admin/6.5-CSPSolutionGuide.pdf In addition familiarity with HTML, JavaScript, etc and Template Toolkit (the custom sign in pages framework in IVE recognizes template toolkit directives) will go a long way when working with custom sign in pages.
We hope this information helps you design your solution.
Regards
Ruchit Sheth
Senior Escalation Engineer
Juniper Networks
