Reference Material | Trusted Network Locations
Trusted Network Locations is an identity service that allows administrators to designate certain IP ranges as trusted network locations. These trusted network locations can then be used in policies to automatically award the configured weight of this identity service to users authenticating while connecting from a trusted IP. You can also use this identity service to only allow requests from trusted locations. In some cases, for example, it may be good practice to only allow users to authenticate from within the company’s own network. and exclude authentication attempts from all other locations.
Configuring Trusted Network Locations ranges
Before Trusted Network Locations can be used as an identity service in a policy, the trusted IP ranges have to be defined.
Note that if no IP ranges have been configured, all IP addresses are considered not trusted. If IP ranges have been configured, all IP addresses outside of the configured ranges are considered not trusted.
- In Authentication Web, go to Trusted Network Locations in the side navigation.
- Fill in a name for the range in the Name IP Range field.
- Fill in the From IP address and To IP address fields. To add a single IP address (not a range), only fill in the From IP address field.
- Click Add.
Note: once an IP range has been configured, it cannot be altered. If, for any reason, you need to change an existing IP range, you need to create a new IP range and delete the old one.
To remove a configured IP range, click on the trashcan icon next to the range you want to delete.
Configuring Trusted Network Locations as identity service
Adding Trusted Network Locations as an identity service is done in the same way as all other identity services.
- In the policy screen for the application, move Trusted Network Locations from the Unselected Identity Services box to the Selected Identity Services.
- Set the weight of the service by clicking on the number of stars you want to assign.
- Click Save.
When Trusted Network LOcations is added to a policy, users authenticating in from a trusted IP address will automatically receive the number of stars assigned to the service, while anyone outside the trusted IP ranges will not receive those stars.
Excluding non-trusted IPs
In some cases, the best way to ensure the security of the authentication process, is to exclude any authentication request coming from outside trusted IP ranges, and only allowing requests from trusted networks.
In order to exclude non-trusted IP addresses, check the Required checkbox in the Trusted Network Locations identity service in the policy.
When the Trusted Network Locations identity service is set to Required, users trying to authenticate from outside the trusted IP ranges will receive a message informing them that they have to initiate the authentication request from within the trusted network.
Enrollment and Captcha
The Trusted Network Locations identity service can also be used to further secure the enrollment procedure, or to omit Captcha if the user authenticates from a trusted IP address.
Configuring enrollment with Trusted Network Locations
- In Authentication Web, go to Policies.
- In the Enrollment security mode section, mark the checkbox marked Only from Trusted IP.
When this setting is enabled, users will only be able to enroll when authenticating from a trusted IP address.
Configuring Captcha with Trusted Network Locations
- In Authentication Web, go to Account.
- In the CAPTCHA tab, select the radio button marked Enabled Captcha for untrusted IP addresses.
When this setting is enabled, users will only be presented with a Captcha if they authenticate from an IP address outside the configured trusted IP ranges.