Creating IP-Based Rules to Bypass MFA for Specific Client Locations in ADSelfService Plus
To configure a rule that allows clients from a specified area (based on IP) to bypass Multi-Factor Authentication (MFA), follow these guidelines for setting up Adaptive MFA using Conditional Access.
Note: The policy names used in this article are for illustrative purposes only.
Prerequisites:
- ADSelfService Plus: Professional version
- End Point MFA add-on license
- ADSelfService Plus application: Must be hosted on the internet with X-Forwarded-For enabled
Step 1: Creating Policies
- Create a policy targeting the relevant users, configuring MFA for required endpoints. Let’s name this policy Internal Policy.
- Duplicate the Internal Policy and name the new policy External Policy.
- Edit the Internal Policy and disable MFA for endpoints.
Step 2: Configuring Conditional Access
Go to Configuration > Self Service > Conditional Access.
Create a rule named Internal. This rule will define the internal IP range, ensuring that users within this range are assigned the Internal Policy where MFA is disabled.
3. Copy the Internal rule and rename it External. Modify this rule’s criteria to "NOT 1," meaning all IP addresses outside the defined internal range. Assign the External Policy to this rule.
- Outcome:
- If a user’s machine connects from a public network (i.e., the IP is not in the internal range), the External rule applies, activating the External Policy where MFA is required.
- If a user’s machine is on the office LAN (i.e., the IP is in the internal range), the Internal rule applies, activating the Internal Policy where MFA is disabled, allowing the user to log in without MFA.
Note on X-Forwarded-For
Perimeter security is essential for this setup. When users connect from a public IP address, the request initially reaches the perimeter firewall before proceeding to the ADSelfService Plus server. This means the server sees the firewall’s IP address, not the user’s original IP. If the firewall’s IP falls within the internal range, MFA won’t be enforced. To address this, ensure that X-Forwarded-For is enabled at each network hop. This ensures the original source IP is included in the request, allowing accurate IP-based Conditional Access.
New to ADSelfService Plus?
Related Articles
How to enable offline MFA in ADSelfService Plus
ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...
Multi-factor authentication techniques in ADSelfService Plus
Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...
Bind ADSelfService Plus to run on a specific virtual IP address
Description You can configure ADSelfService Plus to run on specific IP address. Resolution Step 1: Create a virtual IP Address on the machine where ADSelfService Plus is running. Start → Settings → Control Panel → Open Network connection. Right click ...
Configuring MFA for FTD VPN using RADIUS
This guide provides steps for enabling multi-factor authentication (MFA) using RADIUS for Cisco's Firepower Threat Defense (FTD) product using ManageEngine ADSelfService Plus' MFA for VPN feature. To enable RADIUS-based authentication for Cisco FTD, ...
How to deploy ADSelfService Plus over the internet?
Description Deploying ADSelfService Plus over the internet will allow end-users who are on the move to access the tool from anywhere, anytime. Resolution Register an IP address (say 64.12.13.11) and a public hostname (like ...