Hostchecker remedy and continue button
I am working out on the hostchecker and its remedy. According to admin guide (general notes), user can click continue button to bypass the hostchecking with limited access.
Anyone know how to implement the action for continue button such as which auth server to authenticate, which realm to be used and what roles to be assigned etc…
The doc is written badly and hopefully, community can help me out. please… :roll:
Yo - everything is easy when you know how it works.
But i try to get running for some project an ASA with “Cut-Through Proxy” Functionality for guest-authentication. But i can not get it running to do a automatic rewrite when users come with a http request to redirect them to a https authentication website, thoug i use “aaa authentication secure-http-client”.
It works fine - but this rewriting of http to https drives me insane in da brain for days!
(maybe its just a question of taste - i dont know). Cheers!
In fact, I find admin guide a bit overwhelming.
Doing asa, some part of it is better to be done via cli and some to be done by gui. Ppl say asa is the easiest firewall to be deployed compared to other firewall…may be…may be not…we need to keep sinking in the IT world though… …. :evil: :evil: :evil:
yo - i also did get help by expirienced members here when i started with IVE. In the beginning there is a lot confusion when you have to understand how all works together. So its got to find a “helping hand” beyond admin guides. Though the admin guides and the administrative concept of IVE is SUPERB. When i have to configure cisco stuff (ASA) i get much more headache.
Thanks Spacyfreak…you save my day!!
I hope there will be point system soon in this forum to recognize people like you contributing to the community!
In our user environment, we need to allow user to be able to access basic stuff like email although they are not compliant.
Anyway, I will take your advice and don’t complicate the matter.
You could configure a “Secure Workplace” as remediation action when the user does not want to update his pc. I prefer, not to let users in when their pcs are not compliant. Thats the best way of educating the users to take care.
Yea…I also cannot find how to customize the continue button. It seems clean and easy way to achieve is put the url in reason message to go to another sign-in page.
If that is the case, Juniper shouldn’t include the continue button at all which confused me a lot. Just the extract from Admin Guide (p256) which confused me is
"Users may see the remediation page in the following situations:
Before the user signs in:
- If you enable custom instructions for a policy that fails, the IVE displays the remediation page to the user. The user has two choices:
- Take the appropriate actions to make his computer conform to the
policy and then click the Try Again button on the remediation page.
Host Checker checks the user’s computer again for compliance with
- Leave his computer in its current state and click the Continue button to sign in to the IVE. He cannot access the realm, role, or resource that requires compliance with the failed policy."
Better take hostchecker as it is and dont change it too much - troubleshooting will e harder when you get a problem, and support will be not able to help, when you change the system to much.
Just configure your HC-Policies on the IVE (Antivirus etc) and configure a Remediation-Test (“Dear User, your pcs safetystatus is awfull. Your antivirus is from 1834. Please klick here to update your AV-Signatures. Start your browser again after you updated Antivirus. Otherwise, you can click HERE to enter the Kiosk Mode Sign-In Page. Thank you for your time”
That works stable, and the users know what they have to do.
Dont waste to much time on this.
I did not find a way to change the behaviour on clicking the “continue” button. Hostchecker seems to access some dlls for the proper language and stuff, and it looked complicated to me to put hands on this.
So i configured a hostchecker-website, which appears when a user pcs safety status is not compliant. There the user can access another signin-page (for example ive.company.com/restrict) with less functionality. There i have a website which has a login in “kiosk-mode” where the user only can click password via a virtual keyboard with the mouse, to prevent keyloggers to steal the password (just an idea how to configure it).
The continue button in hostchecker only starts a new process of “evaluating the clients safety status”. But sometimes the button fails - so i did write a message in the hostchecker error message webpage, that the user should start the browser again after the antivirus signatures are updated.
But hostchecker works superb and fast - i am impressed by the functionality.
Seems…my question is very confusing…nobody able to help me out yet…
I have created 2 sign in url, 2 user realm and 2 hc. What I would like to achieve is if hc failed on vpn.abc.com, show the remedy page. When user click continue button, forward it to vpn.abc.com/restricted to allow login with minimum access.
Now the catch is I want it to be done on continue button instead of asking user to go to vpn.abc.com/restricted at remedy reason.
Hope to get some good response… :mrgreen:
Thank in advance.