cancel
Showing results for 
Search instead for 
Did you mean: 

Host Checker

SOLVED
Highlighted
Occasional Contributor

Host Checker

Recently we created a realm on our Juniper appliances to allow access for Mac OS X users. This decision was made after several Mac users made the request. Now that we have created our realm we are running into a few concerns. We require that windows users who connect to our system have Antivirus running and up to date on thier machines, however we have decided we will not enforce this same policy for Mac users. With that being said, we would like to create a host check policy to keep our users with Windows machines off the Mac realm. The role mapping is completely different in the Mac realm and we feel this will only cause confusion. I was told by a Juniper support member to just creat a policy that denies access to all computers that have explorer.exe running. However, after creating this policy it did keep Windows users out...but it kept Mac users out as well. If anyone has any suggestions I would greatly appreciate them.

Thanks in advance,

Rich Peace

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

Re: Host Checker

You can also accomplish this by creating two different Realms so you don't have to have two different sign-in URLs.

1. Create two different Realms - one for Windows - one for MAC

2. On the Windows Realm go to Users > User Realms > (REALM) > Authentication Policy > Browser

3. In the "user agent string pattern" enter "*Windows*" (no quotes but with the *) - choose "allow" and a click "Add"

4. Now enter * for the user agent string pattern - with a "deny" and click "Add"

5. Make sure the "Windows" allow rule is on the top, above the deny - now only Windows user can login

6. Be sure to select "Only allow users matching the following User-agent policy"

7. Now repeat the same for the process but for Step 3, enter "*Mac*" (no quotes but with the *) then follow the rest of the

steps.

Now setup the Sign-in policies

1. Go to Authentication > Signing In > Sign-in Policies

2. Choose the URL that the users are going to be using

3. Make sure you have "User picks from a list of authentication realms" selected

4. Move the Windows and MAC Realm over to the selected Realms and save

So when user browse to the URL, they normally would have to pick form the two Realms (Windows or Mac). However, since we have the browser string, a Windows user cannot see the Mac Realm and a Mac user cannot see the Windows Realm.

Essentially, they will not have to choose a Realm

This makes it a lot easier than doing the same configuration on the Role. As new roles need to be added, you can just add them to the Realm instead of continually repeating the process on each new role.

Hope this helps.

Jahmal

View solution in original post

14 REPLIES 14
Highlighted
Frequent Contributor

Re: Host Checker

Hi Rich,

I don't understand what you mean by "the role mapping is completly different in the Mac realm."

I did what you want to do by requiring Windows boxes to pass the host checker before they get to the login screen. My Mac realm is the same URL but they need to remember to add /mac at the end. It doesn't do host checking.

I don't map Windows users to the /mac realm and it works fine.

Ray

Highlighted
Frequent Contributor

Re: Host Checker

@Ray: How do you prevent Windowsusers to not access the /mac URL?
Highlighted
Frequent Contributor

Re: Host Checker

/mac is created at Signing In - Sign In Policies - User URLs. It uses the default sign-in page. It's created as */mac/

The authentication realm is "Macintosh - No Host Checks"

When you click on */mac/, I have these settings:

"Users must pick from a list of authentication realms" - the only realm selected is "Macintosh - no host checks"

Then I just assign the Mac users to that authentication realm in the realm's Role Mapping.

Ray

Highlighted
Contributor

Re: Host Checker

You can also accomplish this by creating two different Realms so you don't have to have two different sign-in URLs.

1. Create two different Realms - one for Windows - one for MAC

2. On the Windows Realm go to Users > User Realms > (REALM) > Authentication Policy > Browser

3. In the "user agent string pattern" enter "*Windows*" (no quotes but with the *) - choose "allow" and a click "Add"

4. Now enter * for the user agent string pattern - with a "deny" and click "Add"

5. Make sure the "Windows" allow rule is on the top, above the deny - now only Windows user can login

6. Be sure to select "Only allow users matching the following User-agent policy"

7. Now repeat the same for the process but for Step 3, enter "*Mac*" (no quotes but with the *) then follow the rest of the

steps.

Now setup the Sign-in policies

1. Go to Authentication > Signing In > Sign-in Policies

2. Choose the URL that the users are going to be using

3. Make sure you have "User picks from a list of authentication realms" selected

4. Move the Windows and MAC Realm over to the selected Realms and save

So when user browse to the URL, they normally would have to pick form the two Realms (Windows or Mac). However, since we have the browser string, a Windows user cannot see the Mac Realm and a Mac user cannot see the Windows Realm.

Essentially, they will not have to choose a Realm

This makes it a lot easier than doing the same configuration on the Role. As new roles need to be added, you can just add them to the Realm instead of continually repeating the process on each new role.

Hope this helps.

Jahmal

View solution in original post

Highlighted
Frequent Contributor

Re: Host Checker

@Ray: Thx for the info, but the question was more about, if you accept windows users to sign in with the MAC realm just in case it does not work with the windows one, e.g. because missing AV.

Also jahmals solution which is good but not a relibale solution, but for sure it depends on the needs...

Highlighted
Frequent Contributor

Re: Host Checker

Hi Ben,

Perhaps you could rephrase your question. It doesn't appear to me to have anything to do with the original query. If you give WIndows users access to the /mac realm, then they have access. If you don't want them to use it, remove their access. Security through obscurity (not telling them about /mac) stops working when they learn about it.

If you're concerned about an out of date AV, look at firmware 6.2. It has auto-remediation features for problems like this.

Take care,

Ray

Message Edited by Ray on 06-16-2008 10:23 AM
Highlighted
Occasional Contributor

Re: Host Checker

Jahmal, thanks for you input. Your solution is actually the path we decided to take. We do have two seperate realms, however we do not want to assume users will never find out about the /mac realm. It would not be a big deal for either mac users or windows users to log into both realms provided they meet the security requirements. It just seems like it would be sloppy if we created two realms and then just let everyone log into them.

I say the role mapping is different because it is. One user who logs into the Mac realm we have created will get mapped to different groups and policies than they would if they logged into our normal users realm. We allow Macs onto our Device because we have a lot of users who have Macs that want to connect, however we do not do any mapping of network drives for them because they are not required to have any anti-virus software installed. Thanks for the ideas and help from everyone.

Highlighted
Frequent Contributor

Re: Host Checker

@Ray: It looks like I missed the information both sign in policies are based on different auth realms? If not than it's just, as you mentioned, security by obscurity and not an option for my situation anymore. That's what I was asking about.

And I am pretty sure, for my environment, ppl would rapidly learn about how to avoid such host checks if the can, even if they'd pass them.

Highlighted
Occasional Contributor

Re: Host Checker

Is there no better way other than using browser agent string (which can be altered) to only allow client machines using a certain operating system? If we only wanted Windows machines to be able to connect in, how is the best way to do this?