This filter specifies which agents are allowed to authenticate against the virtual server. When you select the Agent is filter, you set a condition for the filter. For example, selecting IAS allows RADIUS authentication from all Microsoft IAS/NPS servers with the appropriately configured SafeNet Agent for IAS/NPS.

• Authentication API: Required to allow authentication from third-party applications that added authentication using the SafeNet Authentication API.

• Citrix: Required to allow authentication via the SafeNet Agent for Citrix Web Interface.

• Console: Required to allow remote management connections to the STA server.

• IAS: Required to allow authentication via the SafeNet Agent for IAS/NPS.

• IIS: Required to allow authentication via the SafeNet Agent for IIS.

• Juniper / Funk SBR: Required to allow authentication via the SafeNet Agent for Juniper/Funk Steel Belted RADIUS.

• Remote Management API: Required to allow the Command Line Interface (CLI) to connect to the STA server.

• Windows Logon: Required to allow authentication via the SafeNet Agent for Windows Logon.

This filter limits the lifetime of a rule. This rule is always used in conjunction with another filter. For example, it could be used with the LDAP/AD Password Validation filter to facilitate migration from LDAP passwords to token authentication, so that LDAP passwords would be valid against SafeNet Trusted Access until the rule expires or a token is activated.

• Begin this rule on: If enabled, the rule is not active until the indicated date. If disabled, the rule is immediately effective.

• Expire this rule on: If enabled, the rule stops being enforced on this date. If disabled, the rule remains active.

If enabled, SafeNet Trusted Access processes authentication requests only on the selected days of the week. Unlike the Access Restrictions module on the Assignment tab, this rule can enforce restrictions on groups or destinations.

If enabled, SafeNet Trusted Access does not process authentication requests from NAS devices, such as VPNs and firewalls, that have an IP address outside of the defined range. This filter is usually used in conjunction with another filter. For example, if combined with a group membership attribute, only members of a specific group could authenticate at a NAS device in the IP range. Conversely, in the absence of any other contravening rule, members of the group would not be able to authenticate at a NAS device that is not in the IP range. This filter supports IPv4 and IPv6 addressing.

• Is equal to: Specifies a single valid IP address.

• Is in the range of: Specifies an IP address range.

• Is in: Specifies an IP address range using a mask.

This filter determines when SafeNet Trusted Access should validate a password or pass it through to LDAP for validation. It also determines how SafeNet Trusted Access handles LDAP authentications that fail.

This function is available with STA through Active Directory password synchronization.

MSCHAPv2 authentication protocol is not supported for LDAP/AD passwords.

The primary purpose of this filter is the transparent migration of users from static passwords to token authentication. For users that meet the conditions, authentication will “pass through” SafeNet Trusted Access to LDAP, or use the synchronized Active Directory password for validation. This filter also determines the action that SafeNet Trusted Access takes after LDAP authentication. This filter is often combined with Date Restrictions and Agent or IP attributes.

For example, enabling LDAP/AD Password Validation if a user has no token or temporary password means that any user with a token must use it to authenticate. Those without a token continue to use their LDAP password until they receive or enroll their token, or until the date restriction disables this attribute.

• Always: All passwords are passed to LDAP for validation against the AD hash.

• When user has no SafeNet Trusted Access token or password: Passwords are passed to LDAP for validation against the AD hash only if the user does not have a token that is in the Active, Suspended, or Locked state, or has a STA temporary password.

• When user has an active SafeNet Trusted Access token or password: Passwords are passed to LDAP for validation against the AD hash only if the user has a token that is in the Active, Suspended, or Locked state, or has a STA temporary password.

• If LDAP authentication fails, reject the authentication: Access is denied if LDAP authentication fails.

• If LDAP authentication fails, forward request back to SafeNet Trusted Access: SafeNet Trusted Access attempts to validate the password.

• If LDAP authentication succeeds, the user is authenticated: SafeNet Trusted Access grants access based on the AD password alone.

• If LDAP authentication succeeds, when challenge is automatically triggered.: If a MobilePASS+ token is available, then STA sends a MobilePASS+ push notification to the user, requesting authentication authorization.

  If the MobilePASS+ token is absent, then STA challenges the user to authenticate with their STA token or password.

  This option is useful for end-to-end automated flows, minimal user intervention, and high token delivery success rates.

  Force challenge response is renamed to automatically trigger challenge.

• If LDAP authentication succeeds, enforce a challenge prompt for manual trigger: Users can manually trigger a challenge, such as when a push-based token is not delivered.

  Click here to see the impact of multi-mode settings in different scenarios.

  

If enabled, SafeNet Trusted Access processes authentication requests only within the selected time range. Unlike the Access Restrictions module on the Assignment tab, this rule can enforce restrictions on groups or destinations.

• Start time: If enabled, the rule is not active until the indicated time. If disabled, the rule is immediately effective.

• End time: If enabled, the rule stops being enforced at this time. If disabled, the rule remains active.

This filter requires group membership for authentication to proceed. It is normally used in conjunction with Agent or IP filters so that a user must be a member of a specified LDAP group when authenticating at the defined agent or IP address.

This filter does not require group membership to be configured in SafeNet Trusted Access. LDAP group memberships can be checked with each authentication. This means that group memberships can be managed from LDAP. Use * as a wildcard to filter available groups.

The user must be a member of the specified group in the list. To create a list, use the arrows to move the groups to the Used by rule list, and then select Add to add the groups to the Conditions.