Of course it is very pleasant, profiling means one certificate on the mobile device automatically without any interaction on services registered to become.
NetScaler provides the verification of certificates of course this hedging a. Only can not die validity of the certificate checked Will, But profiling using SSL directives also all other values A Will certificate evaluated expressions in NetScaler. (À expressions CLIENT.SSL.CLIENT_CERT.xxx)
If But die criteria for deciding not Become read directly from the certificates, But Will queried via LDAP in AD Must, certificates-based authentication is not enough to die, but it must be read with Einem from the certificates extracted username profiling by One LDAP Gets the AD Will
the logic also looks at Einem SSLVPN VServer as follows :.
- binding the Cert authentication as primary with Value "two-factor-off"
- binding the secondary without user authentication LDAP authentication as
In the CLI looks that like this
Cert authentication:
authentication certAction CertAuth -userNameField SubjectAltName Add: Principal Add authentication certPolicy Cert_Pol ns_true CertAuth
LDAP authorization
Add ldapAction authentication Auto_Peter.lab -serverIP 192.168.178.10 -ldapBase "dc = Peter, dc = lab" -ldapBindDn "cn = service, cn = users, dc = Peter, dc = lab "-ldapBindDnPassword huhu encrypted -ldapLoginName UserPrincipalName -groupAttrName memberOf -subAttributeName cn -authentication disabled add authentication ldapPolicy LDAP_Autor ns_true Auto_Peter.lab
the simplest way of the implement, is a SSLVPN Server
bind vpn vserver CertVPN -policy Cert_Pol bind vpn vserver CertVPN -policy LDAP_Autor -secondary
If It Only one access to a website is necessary, "ICAOnly On" submits "Basic" vServer which requires no CCU, with and assign one session Policy
set vpn vserver CertVPN -icaonly ON
Add vpn session action Cert_WEBPage -defaultAuthorizationAction LEAVE ON -icaProxy -wihome "http: //Service.peter.lab/landingpage.html"
Add vpn session policy Cert_WebPage_Pol ns_true Cert_WEBPage
to die in SSLVPN Landing page also based associate of groups LAYING man die AD groups and Assigns with higher Prio die matching landing page to
Add aaa administrators[group
Add vpn session action ICAProxy_WEBAdmin -defaultAuthorizationAction LEAVE ON -icaProxy -wihome "http: //Service.peter.lab/admin-landingpage.html
Add vpn session policy ICAProxy_WebAdmin ns_true ICAProxy_WEBAdmin [1945012[
bind aaa group administrators -policy ICAProxy_WebAdmin -priority 0
To a certificate in Local system to Überraschungen (also CLient certificates stat USer certificates), not enough to die query per browser. Here there dying But possibility to access the locally installed Backup Access Client by EPA to obtain service via this allowed to read device certificates die. CLI looks that in this way:
Add vpn vserver CertVPN SSL443 -deviceCert ON -certkeyNames peter.lab_rootcert
This possibility requires But EPA was, turn CCU requires ( "ICAProxy Off")
0 Komentar