You want to configure a policy to restrict the HR portal access beyond working hours. You are also concerned about bot attacks and unusual suspicious access requests from throughout the world. This policy should prompt for an additional authentication to the user if the user meets any one of the followings conditions:
The device is not recognized
A login attempt is made from a different geolocation than the user’s registered location
An unrealistic consecutive login attempt is made within a short time from a very far location than the user’s last login location. For example, a user logs in at 4 PM MST in the USA. A login is requested from the same user account at 5 PM MST from another country, which cannot be reached within an hour.
To meet these requirements, create a policy and configure the following rules as a combination rule:
User Time of Login: To verify the login time and restrict the access beyond office hours.
Device Fingerprint: To recognize the device.
Geolocation: To recognize the location of login.
Geo-Velocity Tracker: To determine the velocity from the last login time and to help prevent man-in-the-middle, brute force, and DDoS attacks.
Configuration Steps:
On the Home page, click Risk-based Policies > Risk Policy.
Click the Plus icon.
Under Add Risk Policy, specify a name and description of this policy.
Policy Name: Specify a name.
Policy Description: Specify the purpose of this policy.
Select an Identity Server cluster in Assign Policy To and select an authentication class that will use this policy. You can also create a new class here.
For information about how to create a new class, see Adding a Risk Policy.
Create a combination rule as follows:
Under Rule Evaluation Order, click Plus icon > Add New Rule, and specify a name for this rule.
Select User Time of Login Rule under Rule Definitions and specify the following values:
User Time of Login: is
Day: Monday to Friday
Time: 9 AM to 5 PM
Click Plus icon in Rule Definitions, and specify the following values:
Valid for (in days): 30
Store Fingerprint in: Browser
Parameter Settings: Keep the default parameters or select the required ones. See Section 6.10.2, Understanding Device Fingerprint Parameters.
Click Plus icon in Rule Definitions and specify the details of the region which you want to accept all login requests from without additional authentication.
For example, if you select the is condition and specify USA as the Country Code, Access Manager will prompt for additional authentication to all users who try to login from any other country.
Click Plus icon in Rule Definitions and specify the following details:
Specify the interval in hours after which you want to check the user’s location.
Select the Negate Results option.
Add a condition to prompt for an additional authentication if any of these rules fails.
In Combination Strategy, click the Edit icon > Plus icon and then select all four rules. Select AND in Group Operator. For information about how these operators work, see Combination Rule
in Table 6-1, Risk-based Authentication Terms.
Click Save > Next.
In Add Rule to Policy, specify the following values:
If rule condition is met, then: Allow Access and Exit Policy.
If rule condition is not met, add risk score: 10
Click Finish.
Under Risk Levels, click Plus icon and create the following risk level:
|
Field |
Value |
|---|---|
|
Risk Score |
Greater than or Equal to 10 |
|
Risk Level |
Medium |
|
Action |
Additional Authentication > X509 |
This policy evaluates all four rules and if any rule fails, the user is prompted for an additional X509 authentication.