Hello,
is it possible to use GeoIP Databases for country lookups with the Juniper SA solution and assign roles or ressources based on the country of origin ?
I«m aware that this is no functionality is not directly integrated, but is there an easy way to add that kind of functionality
in some way?
Thanks.
Interesting question -Role assignment can be based on attributes from Radius or LDAP but you would need to populate a user record with the GeoIP data and then you could evaluate it.
Could you base it on SourceIP? That is one of the custom expression variables that can be used.
Hello,
i«m afraid not, because due to compliance requirements we have to assign ressources / roles
based on the country the employee and therefore his notebook is located in.
this is nothing that can be mapped by Hand in the Source IP field, because amount of networks
by country is obviously too high.
Any ideas?
No way to store the country code in your LDAP / AD store?
I«m sure that a country code can be stored in our LDAP. But the source IP has to be classified
before that via GeoIP, to resolve the country. And I think this isn«t possible with the SA, right?
Or what do you mean exactly? :-)
Alas - you are correct - the SA does not do that. I was, again, thinking of manually dumping the country code into the LDAP record.
Do you have a load balancer in front of your SA that Geo coding? You could do something cute like use the load balancer to do IP address translation based on GeoIP and then create a host check rule that would map to the appropriate role based on the assigned IP address. About the only other way that I can think of.
Getting a little more "Out there" as a solution....
If these are all Comapny owned devices, you could have a startup script that does an internet lookup and writes the country code to a specific Registry Key. then construct a host checker policy to use that key for Role access...
-S