IDP - SA integration allows for a user session to be terminated, disabled or have a role mapping change take place. In the event of termination or disabling of a session the user is given an error message allowing them to understand why this action was taken.
If you role map you can of course do all sorts of fun things like directing to a specific WEB page, special help pages, notification messages....
So you should most certainly achieve your customers objectives.
Hey Andi - under the system tab go to Configuration and then go to the sensors tab. Two steps -
#1 define your sensor(s)
#2 define the policies that wil control the actions that are to be taken when the sensor detects an event (Sensor Event Policies).
The admin guide does an ok job of describing the setup steps necessary to integrate the two. The "Event Polices" component is really where the bulk of the work is done. You have to define the events that will occur and then the actions you want taken. Actions, like I said are terminate, disable, role map.
Events take some thought - you will be using the Expressions capability of the SA box. There are a bunch of pre-built expressions for the IDP that you will build from.
So step #1 is to get the two boxes talking -
Step #2 is to create an event based on a traffic occurance that is fairly common - log it initially (ignore) so you can track it to confirm that you know how to write rules.
If you have issues getting events into the sensor in a regular enough basis to write rules then pick up either Metasploit to attack the sensor, or if you don't want to actually attack the sensor then use NMAP -great at triggering alerts in the IDP if you have a fairly broad screening policy.
So.. by default if user was terminated, disable or mapped to Quarantine Role, SA will show a pop up reason why the are was disconnected from NC, isn't right ?
If we want to give the user redirect pages, we can do by map the user role, configured at Quarantine user role to redirect to html warning page, it's possible ?
btw thank you Kevin to respond my questions.
I attached the document that describe SA-IDP integration.
JNCIS-SSL, JNCIA-FW, JNCIA-IDP