Apply step-up authentication policy

Step-up authentication is implemented through a POP policy placed on the objects requiring authentication-sensitive authorization. We can use the IP endpoint authentication method attribute of a POP policy. The pop modify set ipauth command specifies both the allowed networks and the required authentication level in the IP endpoint authentication method attribute. When specifying an IPv4 address, it must be in IPv4 format.

The configured authentication levels can be linked to IP address ranges. This method is intended to provide management flexibility. If filtering users by IP address is not important, we can set a single entry for anyothernw (any other network). This setting affects all accessing users, regardless of IP address, and requires the users to authenticate at the specified level. This method is the most common method for implementing step-up authentication.

The anyothernw entry is used as a network range matching any network not otherwise specified in the POP. Use this method to create a default entry that can either deny all unmatched IP addresses or allow anyone access who meets the authentication level requirement. By default, anyothernw occurs in a POP with an authentication level index of 0. The entry occurs as Any Other Network in the output of the pop show command. The following output shows a sample for the poptest1 POP:

pdadmin sec_master> pop show poptest1

       Protected object policy: poptest1
       Description: Test POP
       Warning: no
       Audit level: none
       Quality of protection: none
       Time of day access: sun, mon, tue, wed, thu, fri, sat:
           anytime:local
       IP Endpoint Authentication Method Policy
           Any Other Network 0

See the IBM Security Verify Access for Web: Command Reference.

Parent topic: Step-up authentication