Policy based authentication (Conditional 2FA) allows administrators to define the use of multiple authentication requirement to a TAC Site by segregating trusted and un-trusted sources or any other defined criteria using Access Policy.
This feature is helpful, when an organization is required to introduce two factor authentication to authenticate users and allow a set of users to bypass/skip two factor authentication. Now it is possible to define a TAC access policy to evaluate certain criteria and assign it to a authentication method/repository in the TAC Site's configuration to prompt or not to prompt during a Site initiation to enter credentials.
In order to make access more secure, some administrators use a second authentication side by side with their primary authentication. Sometimes all users are not required to use additional authentication due to special reasons such as trusted users, trusted IP#, trsuted client or they are located in a trusted environment etc... This segregation is now possible with the use of TAC's powerful policy engine.
For example, in an organization that requires a second authentication method for a set of groups and omit a second authentication method for other users, you can now define a policy to match a set of trusted IP ranges, a domain name or a Geo location where the users are trusted and set a condition to bypass the second authentication for these trusted users. Non-trusted users who do not satisfy the condition will be be prompted to enter second authentication.
The example policy below is defined to bypass authentication for clients who are connecting to the site from domain joined PCs.
Network.IsDomainJoined Equals 'No'
Important to note is that policy based authentication is enabled only if the rule satisfies the Allow condition. Allow is the only applicable condition that enables authentication server/repository during authentication policy evaluation.
When a user connects to site using a non-domain joined device after you assign this policy to a second authentication method, the user will be prompted to enter a second authentication and domain joined clients will not be prompted to do second authentication.
The main concept here is that during policy definition for authentication the admin needs to focus on the Allow result, which will be a signal to enable the authentication method. Explicit Deny or fallback Deny will disable the authentication method.
To enable the feature create a policy with the conditions you would like to determine on the user's end.
Read more: How to create an access policy
Once the access policy is created, assign it to the authentication method/repository in Authentication tab of the Site configuration.
To assign the policy:
- Select the Site, click Configure... In Site Configuration section of TAC Configuration Manager.
- Go to Authentication tab in Site Configuration window
- Select the authentication method/ repository from the authentication servers list and select the access policy from the drop down menu next to the repository.
- Click OK.
- Click Apply Configuration to take effect the changes.
Note: If this type of policy is assigned to all of the authentication methods in the site and during the policy evaluation the result is DENY for each authentication method, there will be an error message stating that the Site has an invalid authentication method because no authentication server is available to do authentication.
To troubleshoot Policy based authentication the administrator will need to enable TAC Tracing to generate logs and look for the policy category for possible outcomes
Read more: how to collect logs using TAC tracing tool