03-02-2011 10:28 PM
I have configured on the SSL VPN that if user name/password is correct (through AD) and it fulfills the host checker policy then it should be placed in the user role and if host checker policy fails then it should be in the remmediation role.
On the SSL VPN I configured below:
1- Authentication Server
2- Two Role one is User and other is Remmediation
3- I configured one host checker policy
4- I enabled the host checker policy just evaluation not enforce on the realm
5- I enabled the host checker policy on the user role with required and enforce
6- Two role mapping rules. First rule giving the user to user role and second rule giving the user remmediation role.
Now What is happing when the user sign in to the SSL VPN it user name and password is correct and host checking result is also correct then it should map to only user role but it is mapped to both role. If I make the first rule terminal then user not able to log in and I saw in the logs where it is mentioned that all roles are stricted. If user is not fullfilling the host checker then it is correctly map to only remmediation role.
Kindly help me out what I am missing
03-03-2011 02:03 PM
Sounds like you are very close.
Can you share what your role mapping rules are? When you say that when you make the first rule terminal the user cannot log in, do you mean that the first rule has "stop on match" enabled?
What is the exact error message you are seeing in the logs?
03-06-2011 07:39 PM
Try modifying step #6 for role mapping:
a) Create a first rule while is based on custom expressions.
b) Click on Update, then on expressions.
c) Add the expression as below:
hostCheckerPolicy = ("testfile") AND user = '*'
d) Note: in the above testfile is the name of the hostchecker policy you have created.
e) Save expression.
f) On the role mapping page, give a rule name, select the expression that you created, and assign the User role.
g) Ensure to enable "Stop processing rules when this rule matches'. Save changes.
h) Create the second role mapping rule based on user name
i) This rule just checks for the user name and maps to Remediate role.
The above setup should work.
< please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus.. thanks >