Please can someone explain this to me: I want to allow full VPN to company owned laptops but not to home computers for staff access. I'd like to do this at a role mapping level by checking for a computer certificate issued by an AD domain certificate authority to the computer. If the cert is there then the user gets NC. If it isn't they are mapped to a role which provides some web based resources instead.
So far I have configured this at the role level by using a host checker policy to see if there is a machine certificate and this works. But I would like to do it at the role mapping level so I can in theory allow access to the role without the certificate, if for example a user's certificate expires while they are abroad, say.
Whatever I try to check as the certificate attribute at the role mapping level seems to fail whether it be CN or certDN or Subject or whatever... Is this because I need to switch on something at the realm level or use a certificate server?
Is it because at the role mapping level it's looking at a user certificate in the browser and not the machine certificate?
Finally is this sensible? Is there a better way of differentiating between company computers and 'other' computers?
Machine certs can't be used directly by users.
What could be done:
* run the host checker for machine cert but don't reject user if the test fails
* use the host checker result (there is a predifined variable) to map roles.
See http://www.juniper.net/techpubs/software/ive/guides/howtos/How_To_Host_Checker.pdf page 25 to create role-mapping rules based on a userÕs Host Checker status.
Thanks for your reply - that makes sense. As a second but related question - is it possible to prevent users downloading the NC binary (so it has to be installed on the machine directly) as a crude form of controlling access to NC?
[Yes they could easily obtain the binary elsewhere so this wouldn't be as good as checking mac address or certificate etc but....]
I know what I'm about to suggest doesn't answer - directly - your question, but have you considered using the Host Checker to check for your standard set of corporate compliance apps (e.g. AV, asset management, things like domain membership, and so on?)
Sure, it's not quite as airtight as checking for client-side certs, but on the other hand, if you don't make it clear to users what you're checking for, it's relatively hard for them to "collect the whole set" and fool your host checks.
I use the host checker in evaluate mode, then use rules & expressions in role mapping to steer people appropriately.
I'm not sure if you found it, but to confirm: in order to check user certificates at the role, you need to enable one of these two options on the realm at Users>User Realms>realmName>Authentication Policy>Certificate: remember client certificate or require client certificate. The remember option, middle when looking at the radio buttons, checks the client for a certificate and uses that data for the session; the second (third radio button) requires the certificate to be present on the system in order to complete login and will deny access if there is no user cert found.
No, it is not possible to prevent Network Connect from downloading if users need to use it...unless you wanted to do a Host Checker file check for the .exe being present and giving a role with Network Connect if they pass and not giving Network Connect if they don't.