Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
Configure authentication policies to specify which resources AuthPoint users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). When you configure an authentication policy, you specify:
- Whether the policy allows or denies authentications.
- Which authentication methods are required.
- Which resources the policy applies to.
- Which user groups the policy applies to.
- Which policy objects apply to the authentications.
Users who are not a member of groups that have an authentication policy for a specific resource cannot authenticate to log in to that resource.
Authentication policies have several key components:
Resources
Resources are the applications and services that your users connect to, such as Salesforce, Microsoft 365, a VPN, or your Firebox. When you add a resource, you provide the information required to connect to that resource.
Groups
Groups are how you define which resources your users have access to. You add users to groups in AuthPoint, then you add the groups to the authentication policies that specify which resources users can authenticate to.
Policy Objects
Policy objects are the individually configurable components of a policy, such as network locations. You configure policy objects and then add them to authentication policies. When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location.
Network location policy objects enable you to configure a list of IP addresses. You can then configure specific authentication policies that only apply when users authenticate from these IP addresses.
Geofence policy objects enable you to specify a list of countries. You can then configure authentication policies that only apply when users authenticate from the specified countries.
Geokinetics policy objects enables you to create policy objects that compare the user's current location and the location of their last valid authentication. AuthPoint automatically denies authentications from a location the user could not have travelled to since their previous authentication, based on the distance and time between authentications.
Time schedule policy objects enable you to specify the dates and times when authentication policies apply to user authentications.
Requirements and Recommendations
When you configure policies, make sure you follow these requirements and recommendations:
- You must have at least one group before you can configure authentication policies.
- For RADIUS authentication and basic authentication (ECP), policies that have a network location or geofence do not apply because AuthPoint does not have the IP address of the end user or the origin IP address.
- Policies with policy objects only apply to user authentications that match the conditions of all policy objects. Users who only have a policy that includes policy objects do not get access to the resource when the conditions of the policy objects do not apply to the authentication. This is because they do not have a policy that applies, not because authentication is denied.
- Policies with network locations only apply to user authentications that come from that network location. Users who only have a policy that includes a network location cannot access the resource when they authenticate outside of that network location.
- Policies with geofences only apply to user authentications that come from a country specified in the geofence policy object. Users who only have a policy that includes a geofence cannot get access to the resource when they authenticate outside of the specified countries.
- Policies with time schedules only apply to user authentications during the specified time schedule. Users who only have a policy that includes a time schedule cannot access the resource when they authenticate outside the hours of that time schedule.
- Policies with geokinetics do not affect the conditions of an authentication.
-
If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. Assign a higher priority to the policy with the policy objects.
Geokinetics policy objects work differently than other policy objects because they apply after an authentication is complete. Geokinetics do not affect the conditions of an authentication, so when you add a geokinetics policy object to an authentication policy, you do not have to create a second policy without the geokinetics policy object.
- If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with that policy use push notifications to authenticate users.
- You must enable the push authentication method for policies with MS-CHAPv2 RADIUS resources.
- RADIUS resources do not support QR code authentication.
Add Authentication Policies
To configure an authentication policy, in the AuthPoint management UI:
- Select Authentication Policies.
- Click Add Policy.
- Type a name for the policy.
- From the Select the authentication options drop-down list, select an option to specify whether to require MFA or to deny authentications for this policy.
- Authentication options — Require MFA when users in the groups associated with this policy authenticate to the resources associated with this policy.
- Authentication not allowed — Deny authentications when users in the groups associated with this policy try to authenticate to the resources associated with this policy
-
If you require MFA for this policy, select the check box for each authentication option users can select from when they authenticate. For more information about authentication methods, see About Authentication.
If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with the policy use push notifications to authenticate users.
QR code authentication is not supported for RADIUS resources.
Geokinetics policy objects are not applied for Logon app, RD Web, and ADFS resources if the authentication policy requires only a password (no MFA).
- For policies that include an Microsoft 365 resource, if you require authentication for a machine or resource that is part of your Microsoft 365 domain but cannot use MFA, such as a printer, select the Basic Authentication check box. Basic authentication is also called Enhanced Client or Proxy (ECP).
- From the Groups list, select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, select All Groups.
- From the Resources list, select which resources this policy applies to. To configure this policy to apply to all resources, select All Resources.
- Select which policy objects apply to this policy. When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location. For more information about policy objects, see About Policy Objects.
For RADIUS authentication and basic authentication (ECP), policies that have a network location or geofence do not apply because AuthPoint does not have the IP address of the user or the origin IP address.
If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. Assign a higher priority to the policy with the policy objects. For more information, see About Policy Precedence.
- Click Save.
Your policy is created and added to the end of the policy list.After you create a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.
