cancel
Showing results for 
Search instead for 
Did you mean: 

Assigning the users dont comply to the Host Checker to the quarantine role

Contributor

Assigning the users dont comply to the Host Checker to the quarantine role

Hi

i have two roles; users and quarantine, there is a host checker policy assigned to the users role.

users whom didnt comply to this policy have to be assigned to the quarantine role.

i configured the following:

- created the two roles.

- configured the role mapping for the locally configured users to be assigned to the users role, and checked the stop roles matching check box.

- configured the role mapping for all users (*), to be assigned to the quarantine role and loacte it below the users role.

- enabled the dynamic policy evaluation in the Roles Realm.

the problems are:

1- users whom didnt comply didnt assign to the qurantine role. i unchecked the stop role matching in the users Role, then the not complied users assigned to the quarantine role (is this configuration right?)

2- after i did the above, the users whom assigned to the quarantine Role (due to the not complied policy) and fixed their problems, didnt reassigned to the users role, why? although i configured the dynamic policy evaluation!!

Thanks

6 REPLIES 6
Regular Contributor

Re: Assigning the users dont comply to the Host Checker to the quarantine role

Since you have not checked "Stop processing rules when this rule matches", multiple roles you would have mapped to.

Instead of user name based role mapping, consider using custom expressions based rules using "hostCheckerPolicy"

Regards,

Raveen

Contributor

Re: Assigning the users dont comply to the Host Checker to the quarantine role

Hi Raveen

do you have an example or some documnets about this?

can i use the custom expressions to match both the username and the hostchecker policy?

also what about the dynamic policy evaluation, it didnt work using the above settings, do you have any comments?

Thanks

Super Contributor

Re: Assigning the users dont comply to the Host Checker to the quarantine role

Hi,

Yes, You can use the custom expressions to match both the username and the hostchecker policy using custom expressions.

Custom expressions usage is documented in UAC admin guide under host checker section, refer page#408, 432 , please
aslo refer Writing Custom Expressions section under Cahpter 25 in UAC admin guide.

http://www.juniper.net/techpubs/software/uac/4.1xguides/j-ic-uac-4.1-adminguide.pdf

Dynamic policy evaluation should work, kindly check the interavl time configured, also ensure that you have enabled Refresh roles option
under Dynamic policy evaluation.

Also ensure that "Perform check every X minutes" field is enabled with appropriate time value under Authentication > Endpoint Security > Host Checker.
Please refer Specifying General Host Checker Options in admin guide page 43

Please revert for any assistance.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,

Kannan

Contributor

Re: Assigning the users dont comply to the Host Checker to the quarantine role

so what i understood from you, that for the hostchecker policies to be considered in roles assignments, the custome expressions have to be configured in the role mapping roles?

also i want to check the "stop processing roles when this role matches" option, so i have to configure the custom expressions in the role mapping, else the roles mapping will be based on the users authentication and will not consider the host checker policy, is this right?

Thanks Kannan

Regular Contributor

Re: Assigning the users don't comply to the Host Checker to the quarantine role

Hi,

IC Series maps user to one or more user roles and pushes policies enforces role restrictions, determines valid user role for users who meet the requirements of role restrictions including host checker restrictions configure for each role.

IC merges the valid roles for the user, if the IC is not configured to merge roles, then IC assigns the user to the first role to which the user has been mapped.

Regular Contributor

Re: Assigning the users don't comply to the Host Checker to the quarantine role

Since you have been mapped to multiple roles, dynamic policy evaluation would not have taken into effect.

Yes, your understanding is correct, better way to map user roles is to use custom expressions with Hostcheckpolicy.

And for your use-case, you can have one role-mapping-rule based on custom-expressions and stop processing if machine meets host-check-policy(say full access role). And other default, propably based on user-name(say quarantine role)

Regards,

Raveen