I have this situation: all user have the possibility to use Network Connect with an host checker policy.
I would like to use the host checker in order to verify:
1. If user is connected from a domain pc (host checker verifies the presence of a particulare process) the connection is granted.
2. If user is connected from another pc or hot-spot the NC portion removed, instead of refusing all access.
Solved! Go to Solution.
One possibility would be to work with GINA and enforce the user to use GINA and to login with domaincredentials AFTER NC Tunnel is established.
1. Create as Userrole named "NC Users".
2. Mark the button on "Network Connect" for this role.
3. Under network Connect Opions, mark the button "Install Gina...".
4. Mark the button "Require NC to start when loggin into Windows"
5. Create a second role with all options you want, but without Network connect.
6. On User Realms, create a new Realm
7. On that Realm, on Role Mapping Rules, put first the Rule if Username is * then assign role "NC Users". DONT mark the "STOP Flag"!!
8. On that Realm, on Role Mapping Rules, create a second Rule "if Username is * then assign Role "Untrusted PCs".
When user connects to IVE, Role mapping will look if this user loggs in via GINA (start tunnel before winlogon). User will be able to start the tunnel, if gina and nc is allready installed on the pc. When user starts the tunnel, and then wants to login to the domain, tunnel will break up when this pc has not a computer account in active directory.
If the pc has a computer account in Active Directory and NC and GINA is installed, user will be able to start the tunnel, and then login directly over the tunnel to his domaincontroller.
If the pc has no computer account in Active Directory, user can not open a nc tunnel, but he will be mapped to second role and login successfully to the webportal.
Just try this out, GINA is a nice feature for managed domain desktop pcs, cause user has the same desktop and automatic mapped drives as he has when he is in the office.
Let's say you have a Host Checker policy with the name "Antivirus". If you create a custom expression named "Antivirus Check Failed" which looks like -
hostCheckerPolicy != "Antivirus"
then you could use this custom expression to put users who failed the antivirus check into a specific role. These custom expressions can be quite complex, including AND, OR, and NOT logic. For example, if you also had a Host Checker policy with the name "Firewall", you could assign a role for a user who failed either the Antivirus or Firewall check with an expression like -
(hostCheckerPolicy != "Antivirus") OR (hostCheckerPolicy != "Firewall")
You could use returned attributes from an authorization server in the expression, allowing you to assign users to roles based on authorization information (e.g., a Radius class attribute) as well as Host Checker results.
Hope this is helpful.