cancel
Showing results for 
Search instead for 
Did you mean: 

Host checker and network connect options

SOLVED
mcm0362_
Occasional Contributor

Host checker and network connect options

Hello,

I have this situation: all user have the possibility to use Network Connect with an host checker policy.

I would like to use the host checker in order to verify:

1. If user is connected from a domain pc (host checker verifies the presence of a particulare process) the connection is granted.

2. If user is connected from another pc or hot-spot the NC portion removed, instead of refusing all access.

Many thanks

Marco

1 ACCEPTED SOLUTION

Accepted Solutions
kenlars_
Super Contributor

Re: Host checker and network connect options

The success or failure of each Host Checker policy can be used at role mapping time using Custom Expressions. Set it up so that if the policy succeeds, the user is assigned to a role with NC. If the policy fails, assign the user to a role which does not include NC.

View solution in original post

6 REPLIES 6
kenlars_
Super Contributor

Re: Host checker and network connect options

The success or failure of each Host Checker policy can be used at role mapping time using Custom Expressions. Set it up so that if the policy succeeds, the user is assigned to a role with NC. If the policy fails, assign the user to a role which does not include NC.

View solution in original post

kcorace_
Occasional Contributor

Re: Host checker and network connect options

The way I've done this is by creating a seperate User Role that just has the network connect. If users have the registry key for Logon Domain matching our internal domain then I allow the access to the domain. If not they just map to their other roles which do not include network connect. Obviously this isn't doing machine authentication to AD like you can do with other NAC implementations, but I'm also running a few other checks before they are allowed the network connect role.
dusannovakovic_
Contributor

Re: Host checker and network connect options

One possibility would be to work with GINA and enforce the user to use GINA and to login with domaincredentials AFTER NC Tunnel is established.

1. Create as Userrole named "NC Users".

2. Mark the button on "Network Connect" for this role.

3. Under network Connect Opions, mark the button "Install Gina...".

4. Mark the button "Require NC to start when loggin into Windows"

5. Create a second role with all options you want, but without Network connect.

6. On User Realms, create a new Realm

7. On that Realm, on Role Mapping Rules, put first the Rule if Username is * then assign role "NC Users". DONT mark the "STOP Flag"!!

8. On that Realm, on Role Mapping Rules, create a second Rule "if Username is * then assign Role "Untrusted PCs".

When user connects to IVE, Role mapping will look if this user loggs in via GINA (start tunnel before winlogon). User will be able to start the tunnel, if gina and nc is allready installed on the pc. When user starts the tunnel, and then wants to login to the domain, tunnel will break up when this pc has not a computer account in active directory.

If the pc has a computer account in Active Directory and NC and GINA is installed, user will be able to start the tunnel, and then login directly over the tunnel to his domaincontroller.

If the pc has no computer account in Active Directory, user can not open a nc tunnel, but he will be mapped to second role and login successfully to the webportal.

Just try this out, GINA is a nice feature for managed domain desktop pcs, cause user has the same desktop and automatic mapped drives as he has when he is in the office.

Message Edited by dusannovakovic on 05-03-2008 09:36 AM
Raj909_
Contributor

Re: Host checker and network connect options

Can someone provide detailed information on using multiple user roles and creating custom expressions?

I am also trying to perform Host Checking on computers, and providing access to Network Connect, if they meet the requirements. If not, Network Connector is unavailable.

Thanks
kenlars_
Super Contributor

Re: Host checker and network connect options

Raj909 -

Let's say you have a Host Checker policy with the name "Antivirus". If you create a custom expression named "Antivirus Check Failed" which looks like -

hostCheckerPolicy != "Antivirus"

then you could use this custom expression to put users who failed the antivirus check into a specific role. These custom expressions can be quite complex, including AND, OR, and NOT logic. For example, if you also had a Host Checker policy with the name "Firewall", you could assign a role for a user who failed either the Antivirus or Firewall check with an expression like -

(hostCheckerPolicy != "Antivirus") OR (hostCheckerPolicy != "Firewall")

You could use returned attributes from an authorization server in the expression, allowing you to assign users to roles based on authorization information (e.g., a Radius class attribute) as well as Host Checker results.

Hope this is helpful.

Raj909_
Contributor

Re: Host checker and network connect options

kenlars,

Thanks, that really helped and got it working now!

Raj909