Context awareness for Access and Authentication decisions can come in many shapes or forms. One of the common use cases is restricting access to applications when users are not connected to the corporate network. Some organizations would like to let users access from outside the corporate network, but require strong authentication to do so.
There are a few simple steps to follow in order to create a policy that satisfies these use cases.
1. From the Access Admin console, select Access->Policies, and click on “Add a policy”.
2. In the “Basic Information” section, specify the name of your new policy. Make sure it is clear and meaningful so it will be easy to use when you select your specific application policies. I used “Secure access for off the corporate network users”.
Select the user stores that will be used in this policy, and then get to the meat of creating your policy on the “Access Rules” tab.
3. What you want to do is allow access to all users who are accessing from the internal network. In order to do so, identify the IP ranges for your internal IPs. In the rule set, select authentication “not required” for “All users” and add the following attributes in the policy rule:
User Session group, select the attribute “ipAddress” with the operand “Starts With” and enter the value of the internal network IPs. See screen shot with the specific Policy Rule.
After adding all relevant IP ranges, you will have defined the first rule set that grant access with no step up authentication to all users on the corporate network.
3. Now you will have to enforce step up authentication to all other users. Since the evaluation of access rules is done in priority order, all users that will not match the criteria of “on the corporate network” will fall under the second rule set, if no criterion is selected.
Click on “Add a Rule Set” on the top. Give the new rule set a meaningful name. In this case I used "Allow All Authenticated Users" and specify that Step up Authentication is Required. Select the Authentication Scheme and Sensitivity Level for this rule set.
Select “All Users” under the Criteria section.
All you have to do now is click “Save and Finish”, and your new policy will appear in the list of policies. You can now select it when defining an access policy for an application.
Note: if you would like to Deny access for users that are not on the network, there is no need to add a second rule set.