About AuthPoint Authentication Policies

Configure authentication policies to specify which resources AuthPoint users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). When you configure an authentication policy, you specify:

  • Whether the policy allows or denies authentications.
  • Which authentication methods are required.
  • Which resources the policy applies to.
  • Which user groups the policy applies to.
  • Which policy objects apply to the authentications.

Users who are not a member of groups that have an authentication policy for a specific resource cannot authenticate to log in to that resource.

Authentication policies have several key components:

Resources

Resources are the applications and services that your users connect to, such as Salesforce, Office 365, a VPN, or your Firebox. When you add a resource, you provide the information required to connect to that resource.

Groups

Groups are how you define which resources your users have access to. You add users to groups in AuthPoint, then you add the groups to the authentication policies that specify which resources users can authenticate to.

Policy Objects

Policy objects are the individually configurable components of a policy, such as network locations. You configure policy objects and then add them to authentication policies. When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location.

Network location policy objects enable you to configure a list of IP addresses. You can then configure specific authentication policies that only apply when users authenticate from these IP addresses.

Time schedule policy objects enable you to specify the dates and times when authentication policies apply to user authentications.

Requirements and Recommendations

When you configure policies, make sure you follow these requirements and recommendations:

  • You must have at least one group before you can configure authentication policies.
  • For RADIUS authentication and basic authentication (ECP), policies that have a network location do not apply because AuthPoint does not have the IP address of the end user or the origin IP address.
  • Policies with policy objects only apply to user authentications that match the conditions of all policy objects. Users who only have a policy that includes policy objects do not get access to the resource when the conditions of the policy objects do not apply to the authentication. This is because they do not have a policy that applies, not because authentication is denied.
  • If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. Assign a higher priority to the policy with the policy objects.
  • If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with that policy use push notifications to authenticate users.
  • You must enable the push authentication method for policies with MS-CHAPv2 RADIUS resources.
  • RADIUS resources do not support QR code authentication.

Add Authentication Policies

To configure an authentication policy, in the AuthPoint management UI:

  1. Select Authentication Policies.
  2. Click Add Policy.

Screenshot of the Authentication Policies list.

  1. Type a name for the policy.
  2. From the Select the authentication options drop-down list, select an option to specify whether to require MFA or to deny authentications for this policy.
    • Authentication options — Require MFA when users in the groups associated with this policy authenticate to the resources associated with this policy.
    • Authentication not allowed — Deny authentications when users in the groups associated with this policy try to authenticate to the resources associated with this policy

Screenshot of selecting the authentication options on the Add Policy page.

  1. If you require MFA for this policy, select the check box for each authentication option users can select from when they authenticate. For more information about authentication methods, see About Authentication.

    If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with the policy use push notifications to authenticate users.

    QR code authentication is not supported for RADIUS resources.

Screenshot of the Add Policy page with authentication options selected.

  1. For policies that include an Office 365 resource, if you require authentication for a machine or resource that is part of your Office 365 domain but cannot use MFA, such as a printer, select the Basic Authentication check box. Basic authentication is also called Enhanced Client or Proxy (ECP).
  2. From the Groups list, select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, select All Groups.
  3. From the Resources list, select which resources this policy applies to. To configure this policy to apply to all resources, select All Resources.

Screenshot of the Add Policy page with the groups and resources selected.

  1. Select which policy objects apply to this policy. For more information about policy objects, see About Policy Objects.

    For RADIUS authentication and basic authentication (ECP), policies that have a network location do not apply because AuthPoint does not have the IP address of the user or the origin IP address.

    If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. Assign a higher priority to the policy with the policy objects. For more information, see About Policy Precedence.

Screenshot of the Policy Objects selection on the Add Policy page.

  1. Click Save.
    Your policy is created and added to the end of the policy list.

    After you create a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.

Screenshot of the Save button on the Add Policy page.

Screenshot of the Policy added to the Policies list.

See Also

About Policy Precedence

About Policy Objects