Creating IP-Based Rules to Bypass MFA for Specific Client Locations in ADSelfService Plus
- ADSelfService Plus: Professional version
- End Point MFA add-on license
- ADSelfService Plus application: Must be hosted on the internet with X-Forwarded-For enabled
Step 1: Creating Policies
- Create a policy targeting the relevant users, configuring MFA for required endpoints. Let’s name this policy Internal Policy.
- Duplicate the Internal Policy and name the new policy External Policy.
- Edit the Internal Policy and disable MFA for endpoints.
Step 2: Configuring Conditional Access
Go to Configuration > Self Service > Conditional Access.
Create a rule named Internal. This rule will define the internal IP range, ensuring that users within this range are assigned the Internal Policy where MFA is disabled.
- Outcome:
- If a user’s machine connects from a public network (i.e., the IP is not in the internal range), the External rule applies, activating the External Policy where MFA is required.
- If a user’s machine is on the office LAN (i.e., the IP is in the internal range), the Internal rule applies, activating the Internal Policy where MFA is disabled, allowing the user to log in without MFA.
Perimeter security is essential for this setup. When users connect from a public IP address, the request initially reaches the perimeter firewall before proceeding to the ADSelfService Plus server. This means the server sees the firewall’s IP address, not the user’s original IP. If the firewall’s IP falls within the internal range, MFA won’t be enforced. To address this, ensure that X-Forwarded-For is enabled at each network hop. This ensures the original source IP is included in the request, allowing accurate IP-based Conditional Access.
New to ADSelfService Plus?
Related Articles
How to enable offline MFA in ADSelfService Plus
ManageEngine ADSelfService Plus supports offline multi-factor authentication (MFA) for Windows machine logins, User Account Control (UAC) prompt elevation, and Remote Desktop Protocol (RDP) server authentication when the product server is ...Bind ADSelfService Plus to run on a specific virtual IP address
Description You can configure ADSelfService Plus to run on specific IP address. Resolution Step 1: Create a virtual IP Address on the machine where ADSelfService Plus is running. Start → Settings → Control Panel → Open Network connection. Right click ...Configuring MFA for FTD VPN using RADIUS
This guide provides steps for enabling multi-factor authentication (MFA) using RADIUS for Cisco's Firepower Threat Defense (FTD) product using ManageEngine ADSelfService Plus' MFA for VPN feature. To enable RADIUS-based authentication for Cisco FTD, ...How to deploy ADSelfService Plus over the internet?
Description Deploying ADSelfService Plus over the internet will allow end-users who are on the move to access the tool from anywhere, anytime. Resolution Register an IP address (say 64.12.13.11) and a public hostname (like ...How to configure custom SMS provider in ADSelfService Plus?
ADSelfService Plus lets you use any one of the following methods to send an SMS: GSM modem Clickatell (built-in support) Custom SMS gateway Configuring custom SMS gateway You can configure a custom SMS gateway to send notifications and verification ...