The following sections describe how you can configure risk-based authentication rule to evaluate risk of an authentication attempt:
To configure Risk-based authentication, select Policies > Risk Configuration.
The following illustration depicts the different steps involved in configuring risk-based authentication:
Select a type of rule and configure it.
Add the rule to a new or existing rule group and assign a risk score for the rule. For more information, see Configuring Rule Group, Risk Score, and Risk Levels.
Select the rule group and define the risk level for this rule group. For more information, see Configuring Rule Group, Risk Score, and Risk Levels.
Create a risk-based authentication class.
Assign the risk-based authentication class to a rule group and define actions to execute when the risk levels exceed. Also, determine whether you want to record user login details. For more information, see Configuring an Authentication Class and Defining Actions.
Create a method for the risk-based authentication class. For more information, see Configuring a Method for an Authentication Class.
Create a contract for the risk-based authentication class. For more information, see Configuring a Contract for the Authentication Class.
To configure a rule, perform the following steps:
Click Policies > Risk Configuration > Rules.
Specify a name for the rule.
From the Rule Definition screen, select Rule Type. Specify the following details.
Rule Type |
Procedure |
---|---|
IP Address |
|
Cookie |
|
HTTP Header |
|
User Profile |
|
User Last Login |
|
User Time of Login |
|
Device ID |
|
Geolocation |
|
Custom Rule |
|
Proceed with Configuring Rule Group, Risk Score, and Risk Levels.
To configure a rule group, assign risk scores, and specify risk levels, perform the following steps:
Click Policies > Risk Configuration > Rules.
Select the Rule Group to which you want to add the rule. You can also create a new rule group and add the rule to it.
Specify a Risk Score for the new rule. The risk score indicates the value that is stored in the database after rule evaluation fails.
If you want the rule to be executed first before the other rules are executed, select Add as Privileged Rule.
The Risk Score on Rule Failure field displays the risk score assigned to the rules. This risk score indicates the value that must be stored in the database if the rule evaluation fails. You can change the risk score if required.
To check the final risk score, select the rules to be considered as failed, and click Validate. The validation result indicates the final risk score, risk level and the action for this risk score. For more information about using Validate to test the risk scores and the action, see Understanding How to Use the Validate Tool to Emulate Total Risk Score and Risk Levels
Define risk levels for the rule group:
Click Add. Select a Risk Level to be associated with the risk score. If you select Other, specify a name to identify the custom risk level.
Specify a risk score to be associated with the risk level.
Click OK.
Click OK.
Recording user history involves three configuration steps:
Enabling recording of user history details while configuring [Policies > Risk Configuration > Enable User History]
Enabling recording of user history while configuring a rule. [Policies > Risk Configuration > Rule Type > Check user history]
Enabling recording of user history details for a rule group that is linked to an authentication class.[ Devices > Identity Server > Edit > Local > Classes > RiskBasedAuthClass > Record User History]
When you choose to record user history details for a rule group that is linked to an authentication class, you get the flexibility to segregate the history details as per your requirement.
Consider a situation where you have a two rule groups configured: One rule group is configured to assess authentication requests from internal users in an organization and another rule group is configured to assess authentication requests from users external to the organization.
You may decide to record the history details for internal users only. You can do so by enabling the recording of user history at the risk-based authentication class that is used to authenticate the internal users.
To configure user history settings, perform the following steps:
Click Policies > Risk Configuration > User History.
Select Enable User History to save the user session details in the database.
Specify the number of history entries to consider during rule execution. For example, if you specify 10, it indicates that the last 10 session details should be considered during rule execution.
(Conditional)To store details in eDirectory, select Built-in Data Store.
NOTE:In a production environment it is strongly recommended to not use eDirectory as the data store.
(Conditional) If you choose to save the session details in an external database, select External Database.
Specify the name to identify the driver.
Select the Database Driver. The driver path and dialect are displayed. You can change the driver and dialect details if required.
Specify the Username and Password to access the database.
Specify the URL to access the database.
NOTE:To configure MySQL as the database, ensure that the database URL is specified as mysql://db_user:db_user@localhost/netiq_risk?autoReconnect=true.
For details about configuring MySQL or Oracle databases, see Configuring an External Database to Store User History.
Click OK.
Proceed with Configuring an Authentication Class and Defining Actions.
To configure Geolocation Profiling, perform the following steps:
Click Policies > Risk Configuration > Geolocation.
Select Enable Location Profiling to fetch location data from a geolocation database. This helps to identify the location of the user based on the IP address details.
Select a Geolocation Provider. The available options are:
Database |
Details |
---|---|
Neustar Service |
|
Custom Provider |
|
Click OK.
To associate a risk-based class with a rule group and assign actions for the risk levels, perform the following steps:
Select Local > Classes > New to create a new risk-based authentication class.
Specify the name to identify the class, Click Next.
Select RiskBasedAuthClass from the Java class option, Click Next.
Select the Rule Group to associate with the authentication class.
Select Record User History to record the user’s login details. Before enabling this option, ensure that you have configured a data store using the Policies > Risk Configuration > User History option.
From the Risk Handler option, select the action for the specific risk score. If you choose to configure additional authentication, select an authentication class to configure step-up authentication.
(Optional) Under Properties, click New.
Specify the property name.
Specify the property value.
For more information about properties, see Step 6
Click Finish.
To configure a method for the risk-based authentication class, perform the following steps:
Select Local > Method > New to create a new method for the risk based authentication class.
Specify a name to identify the method.
Select the risk-based authentication class from Class.
Deselect Identifies User.
Select a user store from the list of Available User Stores.
Click Finish to save the data.
IMPORTANT:In a risk-based class, properties configured for the risk-based authentication method are ignored. So, if you want to configure additional properties, add the property to the risk-based authentication class.
To configure a contract for the risk-based authentication method, perform the following steps:
Select Local > Contract > New to create a new contract for the risk based authentication class.
Specify a name to identify the contract.
You can either use an existing authentication contract or create a new authentication contract. For example, you can add the default Name/Password – Form method as the first method and risk-based authentication method as the second method.
Click Next to configure a card for the contract. For more information about configuring contracts, see Section 5.1.4, Configuring Authentication Contracts.
To configure how the Identity Server retrieves IP addresses in a NAT environment, perform the following steps:
Click Policies > Risk Configuration > NAT Settings.
Specify the name of the field to use for fetching the IP address of the client.
Specify the regular expression to retrieve the client IP address from the HTTP header value.
If you use the regular expression .* , even if the client IP address exists in the list of multiple IP addresses, the rule execution fails.
So, if you want to retrieve IP address from a list of multiple IP addresses, modify the regular expression accordingly.
For example: If you specify regular expression as .*?(?=,), the Identity Server considers the first IP address in the list to calculate risk.So, if the list of IP addresses are similar to 10.20.20.1,10.30.30.1,10.40.40.1, using the regular expression .*?(?=,) will return IP address 10.20.20.1.
Click OK to save the configuration.
You can define a condition group as part of the authorization policy that uses the risk score from Identity Server to protect a resource.
To define a risk condition group and assign actions on rule execution, perform the following steps:
Select Policies > Policies.
Select the policy container, then click New.
Specify a name for the policy, then select Access Gateway: Authorization for the type of policy.
From the Condition Group, select Risk Score. Refer to Risk Score for more information about Comparison, Value, and Result on Condition Error.
Select an action. For more information about action, see Step 7.
Click OK to save the changes.
Access Manager logs the following Risk-based authentication audit events:
Risk-Based Authentication Succeeded
Risk-Based Authentication Action Involved
Risk-Based Authentication Failed
For details about how to configure Access Manager to send these events to a Novell Auditing Server, see Enabling Identity Server Audit Events.
To enable logging for Risk-based authentication, perform the following steps:
In the Administration Console, click Devices > Identity Servers > Edit > Logging.
Select Enabled under File Logging.
In the Component File Logger Levels section, specify any one of the following options for Application logs:
Severe: Logs serious failures that can stop system processing
Warning: Logs potential failures that have minimal impact on execution.
Info: Logs informational events.
Verbose: Logs static configuration information.
The system logs any configuration errors under one of the primary three levels: Severe, Warning, and Info.
Debug: Logs events for all of the preceding levels (Severe, Warning, Info, and Verbose)
Click OK.
For more details, see Identity Server Logging.