It was a pleasand surprise to find that Juniper supports SAN (Subject Alternative Names). I am hosting two sign-in pages (realms)... one gives you NC with full access and other one with limited proxy. I am checking Machine cert using HC for full access and if it is not found, then I generate a remediation message telling user to go to other sign in page.
Is there any way to automate this process? If HC check fails, user should get a message with a button to go to different realm/sign-in page or automatically redirects him to limited access sign-in page.
Hi VPN Junkie,
- create a second sign in page that point on your second realm like */untrustusers ( in the sign-in policy control )
- edit the custum instruction in the Host Checker and type a text with the Hyper Link to this page
Another option might be to have the same sign-in page for both types of user and map the role according to security posture of the machine or user at the role mapping stage. You host check the host for their cert at the sign-in level, but don't enforce. Then to map the correct user type to their relevant role, refer to the host check at the role mapping stage of the logon.
If the user passed the machine cert check they get NC with full access, if they didn't, assign another role with less connectivity options.
This way you can easily add-in more granular checks for extra access levels in the future.
thanks for your response kelnars....
the issue is I am dealing with machine certs and not user certs. Is there any way to check machine certs without using HC? I dont think so.