Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Juniper SA / MAG and GeoIP

envian_
envian_
Occasional Contributor
‎01-23-2013 12:57:PM
‎01-23-2013 12:57:PM

Juniper SA / MAG and GeoIP

Hello,

 

is it possible to use GeoIP Databases for country lookups with the Juniper SA solution and assign roles or ressources based on the country of origin ?

I«m aware that this is no functionality is not directly integrated, but is there an easy way to add that kind of functionality

in some way?

 

Thanks.

0 Kudos
Reply
7 REPLIES 7
muttbarker_
Valued Contributor
‎01-24-2013 07:36:AM
‎01-24-2013 07:36:AM

Re: Juniper SA / MAG and GeoIP

Interesting question -Role assignment can be based on attributes from Radius or LDAP but you would need to populate a user record with the GeoIP data and then you could evaluate it. 

 

Could you base it on SourceIP? That is one of the custom expression variables that can be used. 

0 Kudos
Reply
envian_
envian_
Occasional Contributor
‎01-24-2013 07:42:AM
‎01-24-2013 07:42:AM

Re: Juniper SA / MAG and GeoIP

Hello,

 

i«m afraid not, because due to compliance requirements we have to assign ressources / roles

based on the country the employee and therefore his notebook is located in.

this is nothing that can be mapped by Hand in the Source IP field, because amount of networks

by country is obviously too high.

 

Any ideas? 

0 Kudos
Reply
muttbarker_
Valued Contributor
‎01-24-2013 07:57:AM
‎01-24-2013 07:57:AM

Re: Juniper SA / MAG and GeoIP

No way to store the country code in your LDAP / AD store?

0 Kudos
Reply
envian_
envian_
Occasional Contributor
‎01-24-2013 10:56:AM
‎01-24-2013 10:56:AM

Re: Juniper SA / MAG and GeoIP

I«m sure that a country code can be stored in our LDAP. But the source IP has to be classified

before that via GeoIP, to resolve the country. And I think this isn«t possible with the SA, right?

 

Or what do you mean exactly? :-)

0 Kudos
Reply
muttbarker_
Valued Contributor
‎01-24-2013 11:25:AM
‎01-24-2013 11:25:AM

Re: Juniper SA / MAG and GeoIP

Alas - you are correct - the SA does not do that. I was, again, thinking of manually dumping the country code into the LDAP record. 

 

Do you have a load balancer in front of your SA that Geo coding? You could do something cute like use the load balancer to do IP address translation based on GeoIP and then create a host check rule that would map to the appropriate role based on the assigned IP address. About the only other way that I can think of.

0 Kudos
Reply
rswinter_
Frequent Contributor
‎01-24-2013 12:49:PM
‎01-24-2013 12:49:PM

Re: Juniper SA / MAG and GeoIP

Getting a little more "Out there" as a solution....

 

If these are all Comapny owned devices, you could have a startup script that does an internet lookup and writes the country code to a specific Registry Key.  then construct a host checker policy to use that key for Role access...

 

-S

 

 

 

 

0 Kudos
Reply
zanyterp_
Respected Contributor
‎01-25-2013 05:23:AM
‎01-25-2013 05:23:AM

Re: Juniper SA / MAG and GeoIP

Easy? No. But there are several external options as have been listed here. The easiest external option is probably a load balancer that uses that information and can send the traffic to a specific device for each country, if you have 1+ per country, or IP address you choose for realm-based accesses.
Possibly not as easy, but probably more efficient, is to setup a script as rswinter outlined to set a registry value and check that with host checker. You can enforce on the realm, so one realm per country/country group, or on the role, which would allow for as little as one realm, and set restrictions for each role to require specific policies
0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.