cancel
Showing results for 
Search instead for 
Did you mean: 

hostchecker policy

SOLVED
Kashif_
Occasional Contributor

hostchecker policy

 

Hi

 

Has anyone tested  hostCheckerPolicy != 'myavpolicy' ? to map a role (!= or NOT)?

 

its not working for me.

 

Do i need to write a custom expression to inlcude both user match criteria AND hostcCheckerPolicy='myavpolicy' and let the second rule match * and assign the qurantine role through that?

 

Regards

Kashif

1 ACCEPTED SOLUTION

Accepted Solutions
kalagesan_
Super Contributor

Re: hostchecker policy

Hi Kashif,

I understand your requirement, may be you need to try the below role mapping rule configurations based on username &custom expresssions.

Rule 1: if username is * then map this rule to acme role

Rule 2 for acme role: Custom expressions rule forHC policy passing , map this rule to acme role.

hostCheckerPolicy = 'Host-Check'

Also have checked the Stop processing rules when this rule matches option in the rolemapping rule.

Rule 3 for quarntine VLAN username:
if username is * then map this rule to QVLAN role

Rule4 for quarntine VLAN: Custom expressions rule for HC policy failure , map this rule to QVLAN role.
hostCheckerPolicy != 'Host-Check'

Hope this should resolve your issue

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

View solution in original post

10 REPLIES 10
Kashif_
Occasional Contributor

Re: hostchecker policy

 

 

one more thing, if I use this method and push the VLAN from IC, the qurantined users gets an IP from DHCP and sits in that VLAN with no warnings on suplicant.

 

where as when I enable the hostchecker enforcement, the IC pushes the warnings and etc to user but user is totally off the network with Odyssey client in red state.

 

Is there a way I can do both with user having a IP and warnings as well

 

Thanks

Kashif

kalagesan_
Super Contributor

Re: hostchecker policy

Hi Kashif,

 

Can you try doing role mapping based on username/ group  in realm  section with HC evaluated  and enforce hostchecker on the roless under  role restrictions options  for the VLAN mapping.

 

thsi will help you to achive the requirement. Please revrt for clarifications.

 

regards,

Kannan

Kashif_
Occasional Contributor

Re: hostchecker policy

 

Hi

Thanks for the reply.

 

My user logs in ACME realm, I have configured two rules for this realm

 

1. user = * AND hostcheckerpolicy='myavpolicy' maps role acmerole and stops

2. user = * maps Qurantine Role.

 

Quarantine role is configured to push Qurantine VLAN ID and it works. But No non-copmliance message is displayed to user in this method

 

when I enable hostchecker on relam level to Require and Enforce mode or when I enable on acmerole restriction host checker, user gets disconnected from the network and is given proper warnings and everything.

 

I want both of these , meaning non-compliant user pused to Qurantine VLAN and given non-compliance warnings as well..

 

Regards

kashif

kalagesan_
Super Contributor

Re: hostchecker policy

Hi Kashif,

I understand your requirement, may be you need to try the below role mapping rule configurations based on username &custom expresssions.

Rule 1: if username is * then map this rule to acme role

Rule 2 for acme role: Custom expressions rule forHC policy passing , map this rule to acme role.

hostCheckerPolicy = 'Host-Check'

Also have checked the Stop processing rules when this rule matches option in the rolemapping rule.

Rule 3 for quarntine VLAN username:
if username is * then map this rule to QVLAN role

Rule4 for quarntine VLAN: Custom expressions rule for HC policy failure , map this rule to QVLAN role.
hostCheckerPolicy != 'Host-Check'

Hope this should resolve your issue

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

Kashif_
Occasional Contributor

Re: hostchecker policy

 

Thanks for your help Kannan

 

I was able to do it in following manner :

 

Map username * and hostcheckerpolicy=mypolicy to acmerole

Map Username * and hostcheckerpolicy!=mypolicy to acmerole and non-compliant role.

 

Non-compliant role configured to push qurantince VLAN

 

Disable Require and Enforce on ACME Realm level.

 

Enable hostchecker on acmerole

Disable hostchecker on non-compliant role

 

IC merges the settings for both the roles and end result is USer in Qurantine VLAN with Warnings

 

If I do reverse

 

Disable hostchecker on acmerole

Enable hostchecker on non-compliant role

 


Users goes into production VLAN with warnings..

 

Hope this helps others too..

 

Regards

Kashif

Stanislas P_
Contributor

Re: hostchecker policy

Hi,

 

I think your configuration is complex!

 

You must create 2 roles:

- AD_user_Compliant (with host checker restriction)

- AD_user

 

create one role mapping rule

username=* => roles AD_user_Compliant and AD_user

 

configure 2 802.1x attribute rules

Rule 1 : role AD_user_Compliant VLAN 10

Rule 2 : role AD_user VLAN 20

 

if the host is compliant, the VLAN 10 is applied, if not, the VLAN 20 is applied and the OAC display a warning

 

Regards,

 

Stanislas

 

kalagesan_
Super Contributor

Re: hostchecker policy

Hi Kashif,

 

Thanks for your update, I am glad that your requirement is achieved on the reported issue

 

Regards,

Kannan

Kashif_
Occasional Contributor

Re: hostchecker policy

 

I dont think a warning would be displayed as for VLAN20 role mapping policy hostcheker did not fail , hence no warning would be generated. Simply VLAN 20 would be assigned.

 

 

Stanislas P_
Contributor

Re: hostchecker policy

when you configure a host checker restriction on a role, this host checker is added automatically as Evaluate in all realms mapping it.

 

So the warning will be displayed because the realm evaluate the host check and one role was unavailable due to this restriction.

 

Regards,

 

Stanislas