Since you have not checked "Stop processing rules when this rule matches", multiple roles you would have mapped to.

Instead of user name based role mapping, consider using custom expressions based rules using "hostCheckerPolicy"

Regards,

Raveen

Hi Raveen

do you have an example or some documnets about this?

can i use the custom expressions to match both the username and the hostchecker policy?

also what about the dynamic policy evaluation, it didnt work using the above settings, do you have any comments?

Thanks

Hi,

Yes, You can use the custom expressions to match both the username and the hostchecker policy using custom expressions.

Custom expressions usage is documented in UAC admin guide under host checker section, refer page#408, 432 , please
aslo refer Writing Custom Expressions section under Cahpter 25 in UAC admin guide.

http://www.juniper.net/techpubs/software/uac/4.1xguides/j-ic-uac-4.1-adminguide.pdf

Dynamic policy evaluation should work, kindly check the interavl time configured, also ensure that you have enabled Refresh roles option
under Dynamic policy evaluation.

Also ensure that "Perform check every X minutes" field is enabled with appropriate time value under Authentication > Endpoint Security > Host Checker.
Please refer Specifying General Host Checker Options in admin guide page 43

Please revert for any assistance.

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,

Kannan

so what i understood from you, that for the hostchecker policies to be considered in roles assignments, the custome expressions have to be configured in the role mapping roles?

also i want to check the "stop processing roles when this role matches" option, so i have to configure the custom expressions in the role mapping, else the roles mapping will be based on the users authentication and will not consider the host checker policy, is this right?

Thanks Kannan

Hi,

IC Series maps user to one or more user roles and pushes policies enforces role restrictions, determines valid user role for users who meet the requirements of role restrictions including host checker restrictions configure for each role.

IC merges the valid roles for the user, if the IC is not configured to merge roles, then IC assigns the user to the first role to which the user has been mapped.

Since you have been mapped to multiple roles, dynamic policy evaluation would not have taken into effect.

Yes, your understanding is correct, better way to map user roles is to use custom expressions with Hostcheckpolicy.

And for your use-case, you can have one role-mapping-rule based on custom-expressions and stop processing if machine meets host-check-policy(say full access role). And other default, propably based on user-name(say quarantine role)

Regards,

Raveen