Secure Mobile Access 100 10.2 Administration Guide

Table of Contents

Configuring Login Policies

The Login Policies page provides configuration options for policies that allow or deny users with specific IP addresses from having login privileges to the SMA appliance.

To allow or deny specific users from logging into the appliance

  1. Navigate to the Users > Local Users page.
  2. Click the Configure icon for the user you want to configure. The Edit Local User page is displayed.

  3. Click the Login Policies page. The Edit Local User - Login Policies page is displayed.

  4. To block the specified user or users from logging into the appliance, select Disable login.

  5. Optionally select Enable from the Enable client certificate enforcement drop-down menu, to require the use of client certificates for login. By selecting this option, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:

    • Verify username matches Common Name (CN) of client certificate – Select this check box to require that the user’s account name match their client certificate.
    • Verify partial DN in subject – Use the following variables to configure a partial DN that matches the client certificate:
      • Username: %USERNAME%
      • Domain name: %USERDOMAIN%
      • Active Directory username: %ADUSERNAME%
      • Wildcard: %WILDCARD%
  6. To require the use of one-time passwords for the specified user to log in to the appliance, select Require one-time passwords.
  7. In the One-Time Password drop-down menu, select Use domain setting, Enable, or Disable. The default is Use domain setting.

  8. From the One-Time Password drop-down menu, select one of the following:

    • Use domain setting – Take the action specified by the domain setting. Use domain setting is the default setting for this option.
    • Enabled – Enable this action for the user. Overrides the domain setting. When you select this option three additional fields appear:
      • User discretion – Allow user to edit one-time password settings from the Users > Local Users > Edit Local User page. Users have the option of selecting one or both of the following one-time password methods:
        • Use E-mail allows the user to select Use E-mail to enable this one-time password method.
        • Use Mobile App allows the user to Use Mobile App to enable this one-time password method.
    • Use E-mail – Optionally select Use E-mail to enable this one-time password method. The Email domain: window appears, in which you can enter an email address to send the one-time password.
    • Use Mobile App – Optionally select Use Mobile App to enable this one-time password method to force users to use a one-time password. Users can use Google Authenticator, Duo Mobile, or any other compliant two-factor authentication service.
    • Disabled – Disable this action for the user. Overrides the domain setting.
  9. Optionally click CLER APP INFO to clear mobile app binding information.
  10. To apply the policy you selected to a source IP address, select an access policy (Allow or Deny) in the Login From Defined Addresses drop-down menu under Login Policies by Source IP Address, and then click Add under the list box. The Define Address window is displayed.

  11. In the Define Address window, select one of the source address type options from the Source Address Type drop-down menu.

    • IP Address – Enables you to select a specific IP address.
    • IP Network – Enables you to select a range of IP addresses. If you select this option, a Network Address field and Subnet Mask field appear in the Define Address window.
    • IPv6 Address – This enables you to select a specific IPv6 address.
    • IPv6 Network – This enables you to select a range of IPv6 addresses. If you select this option, a IPv6 Network field and Prefix field appear in the Define Address window.

  12. Provide appropriate IP address(es) for the source address type you selected.

    • IP Address – Type a single IP address in the IP Address field.
    • IP Network – Type an IP address in the Network Address field and then supply a subnet mask value that specifies a range of addresses in the Subnet Mask field.
    • IPv6 Address – Type an IPv6 address, such as 2007::1:2:3:4.
    • IPv6 Network – Type the IPv6 network address into the IPv6 Network field, in the form 2007:1:2::. Type a prefix into the Prefix field, such as 64.
  13. Click Add. The address or address range is displayed in the Defined Addresses list in the Edit User Settings window. As an example, if you selected a range of addresses with 10.202.4.32 as the network address and 255.255.255.240 (28 bits) as the subnet mask value, the Defined Addresses list displays 10.202.4.32–10.202.4.47. In this case, 10.202.4.47 would be the broadcast address. Whatever login policy you selected is now applied to addresses in this range.
  14. To apply the policy you selected to a client browser, select an access policy (Allow or Deny) in the Login From Defined Browsers drop-down menu under Login Policies by Client Browser, and then click Add under the list. The Define Browser window is displayed.
  15. In the Define Browser window, type a browser definition in the Client Browser field and then click Add. The browser name appears in the Defined Browsers list.
  16. Click Accept. The new login policy is saved.