SecureClient hotspot registration

[chris.vincent]

Hello,

We are currently using SecureClient NGXR60 Build 191 and making specific use of the Secure Domain Logon (SDL) and hotspot registration feature.

We are also trialling the iPassConnect client v3.50 build 153.

The integration from within windows works well, after enabling hotspot registration from the SecureClient (SC) we are able to connect to WiFi hotspots using the iPass client which then calls the SC software and establishes a VPN to our gateway. We need to use the Hotspot registration feature as we do not allow our users to disable the security policy.

The problem we have is when we attempt to do this process prior to the windows logon. Ultimately we need to be able to create an encrypted logon session to our domain controller (SDL) from any remote access location using iPassConnect. The steps that we need to enable are;

1) Workstation boots to windows logon GINA.
2) Hotspot registration needs to be enabled.
3) iPassConnect client is launched and connects to a remote access point.
4) SecureClient is launched and secure VPN to gateway is established
5) User logs onto domain controller using an encrypted logon session.

However both SDL and the iPassConnect client change the GINA.dll and cannot be used in conjunction to allow the above steps.

The only way we can see to allow us to perform the above steps would be to use the iPass GINA, which once connected to a remote access point would then call the SecureClient and allow an encrypted logon session to our domain controller. This would remove the need for SDL, however the problem lies in the fact that we need to be able to enable hotspot registration on startup for a limited period to allow the iPassConnect client to connect to a remote access point. At the moment because hot spot registration is not enabled on startup, attempted connections to remote access points using iPass are blocked by the Desktop security policy.

Therefore is there any way Hotspot registration can be enabled on startup or is there an alternative means to allow us to meet our objective?

[kr1m1n4l]

hi

we got a similar issue

We are having problems with our Checkpoint SecureClient R56 and access Wireless hotspots through iPass.

The iPass client works fine because we are able to connect to the hotspot without any problems when the VPN client isn't running, but when the VPN client is running iPass won't connect at all.

MAybe it is something to do with the way our client is behaving and not allowing the data through or it is a problem with the local policy?

[RayPesek]

Hi folks,

Are you sure hotspot registration is needed? Using iPassConnect is supposed to bypass the need to do the local registration screen entirely. I've used it that way a few times at airports.

SecureClient's hotspot registration is supposed to get you to the local registration page, but i don't think you need it.

I couldn't use the new logon GINA in iPassConnect 3.5 because my ThinkPad replaces the GINA for the fingerprint reader.

In my "all users@any" outbound desktop security policy, I allow connections to the iPass Data Centers, the same ones that we use for the RoamServer rules.

Ray

[kr1m1n4l]

HI Ray

many thanks for your quick reply

To Be honest I am new to iPass ,we just started using it.
As for the policy to let the iPass Data go through , I will check and try and keep you posted .

Again ray many thanks for your help

[RayPesek]

You'll like iPass. We have people using it all over the world and it just works.

Ray

[kr1m1n4l]

Hi ray

I check my desktop policy rules ,and I actually we did set up already a rule for all users@any, apart that instead of iPass in Service ,we are allowing "any" which then should still work .

I thought maybe in was because in usersc.C files ,the hotspot valueshould be change to True, but it is already.

in my sr_gui_tde files , I see that the SDL and SSO in not enable ,could that be it ?

I check on the Ckeckpoint SK ,there is sk16789, which would correspond to this SDL and SSO not enable, and 3rd party GINA, but this is for FP3 ,and we are on R55 HFA_18 .

What is your opinion??

again thank you for your help

[kr1m1n4l]

Hopefully this will help:

We currently use our iPass client and VPN client separately, i.e. the ipass connects to the hotspot then VPN starts and we would login that way.

I know that our test iPass Client would run a script and start the vpn client in CLI mode and set the option of sethotspotreg on when it starts.


thanks

[RayPesek]

"apart that instead of iPass in Service ,we are allowing "any" which then should still work ."

The iPass networks should be the destination, not the service.

Ray