cancel
Showing results for 
Search instead for 
Did you mean: 

Juniper SA / MAG and GeoIP

Occasional Contributor

Juniper SA / MAG and GeoIP

Hello,

 

is it possible to use GeoIP Databases for country lookups with the Juniper SA solution and assign roles or ressources based on the country of origin ?

I«m aware that this is no functionality is not directly integrated, but is there an easy way to add that kind of functionality

in some way?

 

Thanks.

7 REPLIES 7
Valued Contributor

Re: Juniper SA / MAG and GeoIP

Interesting question -Role assignment can be based on attributes from Radius or LDAP but you would need to populate a user record with the GeoIP data and then you could evaluate it. 

 

Could you base it on SourceIP? That is one of the custom expression variables that can be used. 

Occasional Contributor

Re: Juniper SA / MAG and GeoIP

Hello,

 

i«m afraid not, because due to compliance requirements we have to assign ressources / roles

based on the country the employee and therefore his notebook is located in.

this is nothing that can be mapped by Hand in the Source IP field, because amount of networks

by country is obviously too high.

 

Any ideas? 

Highlighted
Valued Contributor

Re: Juniper SA / MAG and GeoIP

No way to store the country code in your LDAP / AD store?

Occasional Contributor

Re: Juniper SA / MAG and GeoIP

I«m sure that a country code can be stored in our LDAP. But the source IP has to be classified

before that via GeoIP, to resolve the country. And I think this isn«t possible with the SA, right?

 

Or what do you mean exactly? :-)

Valued Contributor

Re: Juniper SA / MAG and GeoIP

Alas - you are correct - the SA does not do that. I was, again, thinking of manually dumping the country code into the LDAP record. 

 

Do you have a load balancer in front of your SA that Geo coding? You could do something cute like use the load balancer to do IP address translation based on GeoIP and then create a host check rule that would map to the appropriate role based on the assigned IP address. About the only other way that I can think of.

Frequent Contributor

Re: Juniper SA / MAG and GeoIP

Getting a little more "Out there" as a solution....

 

If these are all Comapny owned devices, you could have a startup script that does an internet lookup and writes the country code to a specific Registry Key.  then construct a host checker policy to use that key for Role access...

 

-S

 

 

 

 

Respected Contributor

Re: Juniper SA / MAG and GeoIP

Easy? No. But there are several external options as have been listed here. The easiest external option is probably a load balancer that uses that information and can send the traffic to a specific device for each country, if you have 1+ per country, or IP address you choose for realm-based accesses.
Possibly not as easy, but probably more efficient, is to setup a script as rswinter outlined to set a registry value and check that with host checker. You can enforce on the realm, so one realm per country/country group, or on the role, which would allow for as little as one realm, and set restrictions for each role to require specific policies