Trusted Network Locations

Trusted Network Locations is an identity service that allows administrators to designate certain IP ranges as Trusted Network Locations. These Trusted Network Locations can then be used in policies to automatically award the configured weight of this identity service to users authenticating while connecting from a trusted IP. You can also use this identity service to only allow requests from trusted locations. In some cases, for example, it may be good practice to only allow users to authenticate from within the company’s own network. and exclude authentication attempts from all other locations.

Configuring Trusted Network Locations ranges


Before Trusted Network Locations can be used as an identity service in a policy, the trusted IP ranges have to be defined.

Note that if no IP ranges have been configured, all IP addresses are considered not trusted. If IP ranges have been configured, all IP addresses outside of the configured ranges are considered not trusted.

  1. In Authentication Web , go to Trusted Network Locations in the side navigation.
  2. Fill in a name for the range in the Name IP Range field.
  3. Fill in the From IP address and To IP address fields. To add a single IP address (not a range), only fill in the From IP address field.
  4. Click Add.
once an IP range has been configured, it cannot be altered. If, for any reason, you need to change an existing IP range, you need to create a new IP range and delete the old one.

To remove a configured IP range, click on the trashcan icon next to the range you want to delete, and confirm by clicking OK.

Bulk import IP ranges from file

If you have a list of trusted IPs or IP ranges in CSV format, you can upload that file to add the IPs/ranges to the list of Trusted Network Locations.

NOTE
The CSV file should have rows in the following format: name,low IP address,high IP address (these correspond to different columns if you are using Excel or a similar program to compile the list). Note that the high IP address can be left blank if you want to include a single IP address.
  1. Click the Browse button and navigate to the file you want to upload. Click Open.
  2. Optional: check the Ignore IP ranges that already exist checkbox if your list includes IP ranges already in the Trusted Network Locations list.
  3. Click Upload

Removing all IP ranges

Click the Remove All button at the top of the list to remove all IP ranges from the list.

WARNING
This action cannot be undone.

Configuring Trusted Network Locations as identity service


Adding Trusted Network Locations as an identity service is done in the same way as all other identity services.

  1. In the policy screen for the application, move Trusted Network Locations from the Unselected Identity Services box to the Selected Identity Services.
  2. Set the weight of the service by clicking on the number of stars you want to assign.
  3. Click Save.

When Trusted Network Locations is added to a policy, users authenticating in from a trusted IP address will automatically receive the number of stars assigned to the service, while anyone outside the trusted IP ranges will not receive those stars.

Excluding non-trusted IPs


In some cases, the best way to ensure the security of the authentication process, is to exclude any authentication request coming from outside trusted IP ranges, and only allowing requests from trusted networks.

In order to exclude non-trusted IP addresses, check the Required checkbox in the Trusted Network Locations identity service in the policy.

When the Trusted Network Locations identity service is set to Required, users trying to authenticate from outside the trusted IP ranges will receive a message informing them that they have to initiate the authentication request from within the trusted network.

Enrollment and Captcha


The Trusted Network Locations identity service can also be used to further secure the enrollment procedure, or to omit Captcha if the user authenticates from a trusted IP address.

Configuring enrollment with Trusted Network Locations
  1. In Authentication Web , go to Policies.
  2. In the Enrollment security mode section, mark the checkbox marked Only from Trusted IP.

When this setting is enabled, users will only be able to enroll when authenticating from a trusted IP address.

Configuring Captcha with Trusted Network Locations
  1. In Authentication Web , go to Account.
  2. In the CAPTCHA tab, select the radio button marked Enabled Captcha for untrusted IP addresses.

When this setting is enabled, users will only be presented with a Captcha if they authenticate from an IP address outside the configured trusted IP ranges.