About AuthPoint Authentication Policies

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

Configure authentication policies to specify which resources AuthPoint users can authenticate to and which authentication methods they can use (Push, QR code, and OTP). When you configure an authentication policy, you specify:

  • Whether the policy allows or denies authentications.
  • Which authentication methods are required.
  • Which resources the policy applies to.
  • Which user groups the policy applies to.
  • Which policy objects apply to the authentications.

Users who are not a member of groups that have an authentication policy for a specific resource cannot authenticate to log in to that resource.

Authentication policies have several key components:

Resources

Resources are the applications and services that your users connect to, such as Salesforce, Office 365, a VPN, or your Firebox. When you add a resource, you provide the information required to connect to that resource.

Groups

Groups are how you define which resources your users have access to. You add users to groups in AuthPoint, then you add the groups to the authentication policies that specify which resources users can authenticate to.

Policy Objects

Policy objects are the individually configurable components of a policy, such as network locations. You configure policy objects and then add them to authentication policies. When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location.

Network location policy objects enable you to configure a list of IP addresses. You can then configure specific authentication policies that only apply when users authenticate from these IP addresses.

Geofence policy objects enable you to specify a list of countries. You can then configure authentication policies that only apply when users authenticate from the specified countries.

Time schedule policy objects enable you to specify the dates and times when authentication policies apply to user authentications.

Requirements and Recommendations

When you configure policies, make sure you follow these requirements and recommendations:

Add Authentication Policies

To configure an authentication policy, in the AuthPoint management UI:

  1. Select Authentication Policies.
  2. Click Add Policy.

Screenshot of the Authentication Policies list.

  1. Type a name for the policy.
  2. From the Select the authentication options drop-down list, select an option to specify whether to require MFA or to deny authentications for this policy.
    • Authentication options — Require MFA when users in the groups associated with this policy authenticate to the resources associated with this policy.
    • Authentication not allowed — Deny authentications when users in the groups associated with this policy try to authenticate to the resources associated with this policy

Screenshot of selecting the authentication options on the Add Policy page.

  1. If you require MFA for this policy, select the check box for each authentication option users can select from when they authenticate. For more information about authentication methods, see About Authentication.

    If you enable the push and OTP authentication methods for a policy, RADIUS resources associated with the policy use push notifications to authenticate users.

    QR code authentication is not supported for RADIUS resources.

Screenshot of the Add Policy page with authentication options selected.

  1. For policies that include an Office 365 resource, if you require authentication for a machine or resource that is part of your Office 365 domain but cannot use MFA, such as a printer, select the Basic Authentication check box. Basic authentication is also called Enhanced Client or Proxy (ECP).
  2. From the Groups list, select which groups this policy applies to. You can select more than one group. To configure this policy to apply to all groups, select All Groups.
  3. From the Resources list, select which resources this policy applies to. To configure this policy to apply to all resources, select All Resources.

Screenshot of the Add Policy page with the groups and resources selected.

  1. Select which policy objects apply to this policy. When you add a policy object to an authentication policy, the policy only applies to user authentications that match the conditions of the authentication and the policy objects. For example, if you add a specific network location to a policy, the policy only applies to user authentications that come from that network location. For more information about policy objects, see About Policy Objects.

    For RADIUS authentication and basic authentication (ECP), policies that have a network location or geofence do not apply because AuthPoint does not have the IP address of the user or the origin IP address.

    If you configure policy objects, we recommend that you create a second policy for the same groups and resources without the policy objects. Assign a higher priority to the policy with the policy objects. For more information, see About Policy Precedence.

Screenshot of the Policy Objects selection on the Add Policy page.

  1. Click Save.
    Your policy is created and added to the end of the policy list.

    After you create a new policy, we recommend that you review the order of your policies. AuthPoint always adds new policies to the end of the policy list.

Screenshot of the Save button on the Add Policy page.

Screenshot of the Policy added to the Policies list.

See Also

About Policy Precedence

About Policy Objects