I want to be able to allow users to connect via network connect on iPad's / IPhone's / Mac's and Windows machines but ideallIy also want to enable host checker.
Everything works fine on the windows machines but iPad's / IPhone's / Mac's fail to logon with a an error of Browser on host is not supported for Host Checker or Cache Cleaner.
Is there a way to skip host checker for unsupported browsers or somehow skip the check for iPad's / IPhone's / Mac's devices.
Without host checker all iPad's / IPhone's / Mac's and Windows machines work fine.
Some of my users have access to multiple devices.
My suggestion is to map users to roles based on useragent.
This way I blocked iPhone/iPad/Android devices from my Network Connect roles.
Thanks for the reply,
Could you give me a bit more info on this?
I want to be able to have the same user use network connect on a PC with host checker but also on their Mac/iphone/iPad without host checker as the browser is not supported.
Would creating different realms be the answer?
Create a custom expression to role map users to a specific iOS role, like userAgent = "JunosPulse*". I do not know how you role map your users today but this could be a start.
If you are using ADgroups for role mapping, your custom expression could look like this:
userAttr@<nameofAD>.memberof ='<groupname>' AND userAgent = "JunosPulse*"
You cannot enforce your Host Check policies on realm level with this solution..
Yes, you can create a new realm for this segregation. You can also use user-agents as mentioned previously.
Another option would be to have different URLs for the different device types (hostname- or path-based).
Your custom expression actually would fit our situation here aswell.
However, can you elaborate a bit more on the expression itself?
When i try and create a custom expression using your method i get an error saying that i am using an illegal opperator.
userAttr@.memberof ='' AND userAgent = "JunosPulse*"
My expression looks like:
userAttr@<ourdomain>.memberof ='<IOSusergroup>' AND userAgent = "JunosPulse*"
What fits the domain box is this the top level domain (ie. domain.local) or something else?
Hope someone can give us a hand.
I think I actually had to change this into 2 separate expressions..
# <ourdomain> is the name of your LDAP server where your users are located.
userAgent = "JunosPulse*"
I think I've got this working - host-checking for Windows PCs, and non-host-checking for iPhones/iPads. What I've done is as follows:
1. Create a realm called Non-iphones and configure it up for host-checking as per normal.
2. In that realm, under "Authentication Policy | Browser" configure it to "Only allow users matching the following User-agent policy"
3. In the matching list, configure *iPhone* and deny that. Do the same for *iPad*. Last in the list, put just a * and allow that.
4. Create a second realm called iPhones and don't configure host-checking.
5. Repeat steps 2 and 3 but do it the other way around - permit *iPhone* and *iPad* and deny *.
Hope that helps....