Creating an adaptive authentication policy
- Go to Settings > Adaptive Auth > Policies and click Add Policy.
-
Configure the following fields:
Parameter Description General
Name Enter a unique name for the policy. Action Select one of the following:
-
Enforce MFA — By default, the FIC server will require login attempts from the specified source to use MFA.
-
Block — The FIC server will block login attempts from the specified source.
-
Bypass MFA — The FIC server will let the login attempts from the specified source or device bypass the MFA requirement.
Note: The FIC server takes the specified action when an authentication request matches the policy settings.
Filters Select the filter
-
Subnet Filter — See Subnet Filter below.
-
Location Filter — See Location Filter below.
-
Device Filter — See Device Filter below.
-
No Source Filter — Select this option if you do not want to use any filter.
Schedule
Check the checkbox to enable scheduling. See Schedule below for details.
Subnet Filter
Create a filter for specified IP addresses or subnets.
This option is available only when Subnet Filter is selected in the Filters field.
Subnets Specify the subnet in one of the following formats:
-
IP address, e.g., 10.10.1.1
-
IP range, e.g., 10.10.0.0 - 10.10.10.2
-
CIDR notation, e.g., 10.10.1.0/24
No IP
This option is for devices that do not support subnet filtering. If enabled, the policy will be applied to auth requests that do not have IP information.
Last MFA
This option is available only when Action is set to Bypass MFA.
Enable to let end-users using a trusted IP or subnet bypass MFA within a specified time period.
MFA Interval
If the user logs in from the same subnet within the specified time interval, they can bypass the login process. Once the time interval elapses, the log in status expires.
The valid values range from 1 to 72 hours.
Location Filter
Create a filter for specified countries or regions.
This option is available only when Location Filter is selected in the Filters field.
Countries Select the countries or regions of interest.
Unknown Country or Region
If the location is unknown, select this option.
Impossible Travel
Enable to block suspicious login attempts when FortiIdentity Cloud detects an unusual login request from an unreasonable geographical location.
Device Filter
Create a filter for specific devices.
This option is available only when Device Filter is selected in the Filters field.
Adaptive authentication is supported for devices running on the following FOS versions:
-
FOS version v7.6.4build3510 (tested on US FIC)
-
FOS v7.4.8 build2795 (Mature) (Tested on EU FIC)
Auth Interval
Specify how long the Auth Interval for bypassing MFA from a specific device remains in effect. As long as the user is active within that time interval, they can maintain their log in status and bypass authentication.
Configure an interval between 5 minutes to 3 days. The Auth Interval value must be less than the realm's Forget Device value (in hours).
Schedule
Set a schedule for the policy to take effect.
This option is available only when Schedule is selected.
All Days
Select if the schedule applies to all the days of the week.
Days
Select individual days of the week.
Timezone Select the timezone, which is the timezone of the web browser by default. When an authentication request comes in, the FIC server uses the time of this timezone to match the request.
All day (default)
Configure a time range for the policy.
Select All day if you want the policy to apply all day, otherwise, select a specific Start Time and End Time.
Note: If the start time is less than or equal to the end time, then the time range would be
start time — end time; otherwise, the time range would be0:00 — end time,start time - 23:59. -
- When you are finished, click Apply.