SSL VPN
Reply
Contributor
Shabbir
Posts: 14
Registered: ‎11-19-2008
0

Role Mapping to both User and Remmediation Role with host checker

Hi

 

I have configured on the SSL VPN that if user name/password is correct (through AD) and it fulfills the host checker policy then it should be placed in the user role and if host checker policy fails then it should be in the remmediation role.

 

On the SSL VPN I configured below:

 

1- Authentication Server

2- Realm

2- Two Role one is User and other is Remmediation

3- I configured one host checker policy

4- I enabled the host checker policy just evaluation not enforce on the realm

5- I enabled the host checker policy on the user role with required and enforce

6- Two role mapping rules. First rule giving the user to user role and second rule giving the user remmediation role.

 

Now What is happing when the user sign in to the SSL VPN it user name and password is correct and host checking result is also correct then it should map to only user role but it is mapped to both role. If I make the first rule terminal then user not able to log in and I saw in the logs where it is mentioned that all roles are stricted. If user is not fullfilling the host checker then it is correctly map to only remmediation role.

 

Kindly help me out what I am missing

Recognized Expert
kenlars
Posts: 420
Registered: ‎03-24-2008
0

Re: Role Mapping to both User and Remmediation Role with host checker

Sounds like you are very close.

 

Can you share what your role mapping rules are?  When you say that when you make the first rule terminal the user cannot log in, do you mean that the first rule has "stop on match" enabled? 

 

What is the exact error message you are seeing in the logs? 

 

Ken

Moderator Moderator
Moderator
RKB
Posts: 152
Registered: ‎09-22-2008
0

Re: Role Mapping to both User and Remmediation Role with host checker

Shabbir:

 

Try modifying step #6 for role mapping:

 

a) Create a first rule while is based on custom expressions.

b) Click on Update, then on expressions.

c) Add the expression as below:

 

hostCheckerPolicy = ("testfile") AND  user = '*'

 

d) Note: in the above testfile is the name of the hostchecker policy you have created.

e) Save expression.

f) On the role mapping page, give a rule name, select the expression that you created, and assign the User role.

g) Ensure to enable "Stop processing rules when this rule matches'. Save changes.

 

h) Create the second role mapping rule based on user name

i) This rule just checks for the user name and maps to Remediate role.

 

The above setup should work.

 

< please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus.. thanks >

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.