Network Location Policy Objects

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

Network location policy objects enable you to specify a list of IP addresses. You can then configure authentication policies that only apply when users authenticate from the IP addresses in the specified network location. You might do this if you want to allow users to log in without MFA when they are in the office.

When you add a network location to an authentication policy, the policy only applies to user authentications that come from that network location. Users who only have a policy that includes a network location cannot get access to the resource when they authenticate outside of that network location (because they do not have a policy that applies, not because authentication is denied).

When you configure a policy that includes a network location, we recommend that you create a second policy without the network location for the same groups and resources. The second policy applies to the users when they are not in the network location. Make sure the policy with the network location has a higher priority than the policy without the network location. For more information, see About Policy Precedence.

Network locations require that the end-user has an Internet connection.

For RADIUS authentication and basic authentication (ECP), policies that include a network location do not apply because AuthPoint cannot determine the IP address of the end user or the origin IP address.

Network Locations for RDP

For Remote Desktop Protocol (RDP) connections, AuthPoint uses the IP address that connects to port 3389 or port 443 to determine if the authentication originates from a network location.

If you configure RDP to use a port other than 3389 or 443, AuthPoint cannot identify the IP address of the end-user. In this scenario, policies with a network location do not apply to the authentication.

If you have a firewall, the network location receives the trusted IP address of the firewall, not the IP address of the end-user.

To allow users on your network to use RDP to connect to a server on the network without MFA, you can create a network location that includes the private IP addresses of the internal users, but not the internal IP address of the firewall. Add this network location to a policy that only requires password authentication. With this configuration:

  • Internal users can connect to the server without MFA.
  • External connections that come through the firewall require MFA.

Create Network Locations to Bypass MFA

To configure a "safe" location that does not require MFA when users authenticate, you must configure a network location and add it to an authentication policy that only requires password authentication. This allows users to log in with only their passwords (no MFA) when they authenticate from the specified network location to the resources in the authentication policy.

This section provides examples to help you configure network locations for different use cases for local or external networks. In these examples, we use these definitions:

  • Local Network — Computers inside the company network are considered local.
  • External Networks — Computers outside the company network are considered external.
  • VPN Connections — Computers that are connected to a company VPN are considered part of the local network.
  • Public IP Address — Public IP address used to connect to the Internet.
  • Local IP Address — IP address used inside the local network.
  • User IP Address — IP address of the user's computer, on an external network.
  • Terminal Connections — Connection where a user logs in to the computer directly.
  • Remote Connections— Connection where a user logs in to a computer with an RDP connection.

Configure a Network Location

To configure a network location policy object, in the AuthPoint management UI:

  1. From the AuthPoint navigation menu, select Policy Objects.

Screen shot that shows the Policy Objects page.

  1. Click Add Policy Object.
    The Add Policy Object page appears.

Screen shot of the Type drop-down list on the Add Policy Object page.

  1. From the Type drop-down list, select Network Location.
    Additional fields appear.
  2. In the Name text box, type a name to identify this network location policy object. This helps you identify the network location when you add it to authentication policies.
  3. In the IP Mask text box, type a public IP address or netmask that defines the range of public IP addresses for this network location and press Enter or Return. You can specify multiple IP addresses and ranges for one network location.

    AuthPoint only supports IPv4 addresses for network locations.

    You cannot add the IP addresses 0.0.0.0 or 255.255.255.255 to a network location.

Screen shot that shows the network location fields on the Add Policy Object page.

  1. Click Save.
  2. Add this network location to the authentication policies that you want it to apply to. For more information, see Add Authentication Policies

    We recommend that you create a second policy for the same groups and resources without the network location to apply to users when they are not in the network location. Make sure the policy with the network location has a higher priority than the policy without the network location. For more information, see About Policy Precedence.

Related Topics

About AuthPoint Authentication Policies

About Policy Objects

Time Schedule Policy Objects

Geofence Policy Objects