Specify network-based access restrictions
About this task
IBM Security Verify Access supports an optional protected object policy (POP) configuration setting that enables the application of authentication strength levels to client requests originating from specified network addresses. The network addresses can be defined as either a single IP address, or as a range of IP addresses. In most deployments, user access is not restricted based on the IP address within POPs. In most deployments, this configuration section can be skipped. The pdadmin pop modify set ipauth command is used to specify IP addresses. Note that this is the same pdadmin command used to specify authentication levels. The default usage of pdadmin pop modify set ipauth does not impose any network-based access restrictions. This usage consists of specifying the command line argument anyothernw as the value for the IP Endpoint Authentication Method Policy attribute. This setting applies to all user access, regardless of the IP address of the requestor, and requires all users to authenticate at the specified level.
For example, in creating a protected object policy, the following command created a POP that required all users to authenticate at authentication level 1, and did not impose any network-based access requirements. The option anyothernw means any other network address, and the option forbidden enforces the denial policy.
pdadmin> pop modify pop-name set ipauth anyothernw level_index
pdadmin> pop modify test set ipauth anyothernw 1
Procedure
The following network-based access restrictions can be applied:
- Require a specific authentication strength level when the IP address of the requesting client is within a defined range of IP addresses.
Syntax:
pdadmin> pop modify pop_name set ipauth add network netmask level_index
Note the pdadmin pop modify set ipauth add command specifies both the network addresses and the required authentication level in the IP Endpoint Authentication Method attribute.
For example, to require users from IP address range 9.1.2.[0–255] to use authentication strength level 1:
pdadmin> pop modify test set ipauth add 9.1.2.1 255.255.255.0 1
Note the value specified for the netmask determines the range of network addresses affected. The number 0 in the netmask serves as a wildcard to mean all IP addresses for that subnet. See the example that follows.
IPv4 Address Netmask Network range affected 9.1.2.3 255.255.255.0 9.1.2.[0–255] 9.1.2.3 255.255.0.0 9.1.[0–255].[0–255] 9.1.2.3 255.0.0.0 9.[0–255].[0–255].[0–255]
IPv6 Address Netmask Network range affected fec0::1 fff0:: fec[0-f]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff] fec0:ffff::1 ffff:fff0:: fec0:fff[0-f]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff]:[0-ffff] - Require requests from one specific IP address to use a specified authentication strength level.
For example, to require requests from IP address 9.1.2.3 to use authentication strength level 1:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 1
To require requests from all IP addresses on subnet 9.1.2.x to use authentication strength level 1:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.0 1
- Disable use of authentication strength level step-up by all requests from a range of network addresses.
The syntax is:
pdadmin> pop modify pop_name set ipauth remove network netmask
For example, to disable all requests from the range of IP addresses on the 9.1.2.x subnet:
pdadmin> pop modify test set ipauth remove 9.1.2.1 255.255.255.0
- Allow access to the protected resource based solely on IP address, or range of IP addresses, regardless of the authentication strength level.
This restriction is enforced by specifying the IP address or addresses, and assigning an authentication level of zero (0). For example, to allow requests from IP address 9.1.2.3, regardless of authentication strength level:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.255 0
Likewise, to allow requests from all IP addresses on the 9.1.2.x subnet, regardless of authentication strength level:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.0 0
- Deny access based solely on IP address, or range of IP addresses, regardless of authentication strength level.
This restriction is enforced by using the key word forbidden as the final parameter. For example, to restrict only the client at IP address 9.1.2.3 from accessing the protected resource:
pdadmin> pop modify test set ipauth 9.1.2.3 255.255.255.255 forbidden
Likewise, to restrict requests from all IP addresses on the 9.1.2.x subnet from accessing the resource:
pdadmin> pop modify test set ipauth 9.1.2.3 255.255.255.0 forbidden
- Prevent requests from all IP addresses from accessing the protected object, unless the IP address has been enabled by a previous pop modify set ipauth add command.
For example, in a use case above, a range of IP addresses were required to access the protected resource by using authentication strength level 1:
pdadmin> pop modify test set ipauth add 9.1.2.3 255.255.255.0 1
The administrator can, in addition, specify that requests from all other IP addresses will be denied, regardless of authentication strength level, in the following pdadmin command:
pdadmin> pop modify test set ipauth anyothernw forbidden
The option anyothernw means any other network address, and the option forbidden enforces the denial policy.
Parent topic: Authentication strength policy (step-up)