Hi James,

I understand that you have SA2500 box running 7.3R2. I understand your requirement where all users login to one realm however certain users get redirected to a different realm(with hostchecker set to evaluate) once logged in.

Your requirement is possible , "Evaluate Policies" will evaluate the policy on the client. "Require and Enforce" will require and enforce the policy in order to login to this realm.

If you configure "Require and Enforce" for the hostchecjer policy at realm level, only users who passes this policy will allowed to log in.

Another option is use "Evaluate Policies" at realm level and enforce the hostchecker polci at role level , also have a guest role configured without hostchecker enabled at role level. Have merge setting enabled in role mapping rule.

User complying with HC policy will be looged in to realm 1 mapped with role1 enabled to HC policy
User not complying with HC policy will be looged in to realm 1 mapped with role2 (guest role ) since role 1 failed.

Hope this helps.

Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

Regards,
Kannan

do you mean URL rather than realm? if you want only one realm, all users will experience host checker running. if you can use more than one URL you can have different host checker settings on each url & realm

"do you mean URL rather than realm? If you want only one realm, all users will experience host checker running. If you can use more than one URL you can have different host checker settings on each url & realm"

Yes I was hoping to use only one realm but only have the users who need to run host checker run it, I understand if I set host checker to "Evaluate policies" everyone who logs into the realm would have to download and run hostcheck whether they needed it on not. I was hope to avoid that's as host checker is a massive pain.

If I need to use two realms how easy is it to add a splash page giving the users a link to different realm  I understand this can be done by a drop down box when logging in but we also use an RSA token and a 4th box would only confuse our users.

Thanks,

James

If we use a splash page with a link to the REALM not using HC, it is going to redirect back to the same URL

You can have separate sign in URL's for the separate REALMS

Regards,

Jay

I'm not sure you're going to be able to pull this off without either a new URL or a realm drop down menu.

The only automated alternative I can think of involved tying two realms to the sign-in policy then leveraging restrictions at the realm level preventing the users meant to go to realm a from logging into realm b, and so on.. However, unless you can use something like user agent string, or source IP to distinguish the users, that would not be an option.

i could distinguish the users by mac address would that work?

I do not believe you can use MAC address.

Looking under Realm->Authentication, Source IP, and User agent strings are your best bet, assuming you can take advantage of them. Some type of client side certificate restriction may also be an option, but I've not messed with that feature, so can't really comment on it. Even if possible,I imagine managing client side certs could be a potential headache.