Jump to content
Welcome to our new Citrix community!

Skip Check response


Larry Wade

Recommended Posts

You've provided too few details to give you a good answer.

Are you referring to when using the Gateway (vpn vserver) with an EPA scan, you want if "skip check" is used it default to deny access?

It also depends if the epa scan is running preauth or as the expression of a session policy. Approach might vary slightly.

Also, helps to understand if you are using the classic or advanced policy engines.

 

If so, then

1) Set a default authorization action to deny in the vpn global parameters.  Then everyone is denied unless a policy sets allow.

2) Usually then when your EPA scan (preauth policy is evaluated), an authorization:allow is set.

For EPA/nfactor policies that run before authe or session policy evaluation, you can use the successful epa scan to move a user to a temporary group such as ns_epascan_passed. Create a AAA group on the system (doesn't need to be a group in AD), and set the policy action's authorization group (or authentication group) parameter to this temp group membership.

During the next phase, either a session policy with the Default authorization:Allow (client security tab) can be set per group or on the vpn vserver but with the aaa.user.is_member_of("ns_epascan_passed") group filter.

If the EPA scan is done in the session policy expression (though this implies classic engine), once the scan is successful set the authorization:allow behavior on the client security tab.

 

Any account that doesn't get an explicit policy setting the authorization to allow, inherits the global authorization deny. 

You may need to adjust so there is NOT a default authorization allow on the default policy attached to the vpn vserver.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...