IP address exclusion in Policy not applied in VIP Authentication Hub

search cancel

IP address exclusion in Policy not applied in VIP Authentication Hub

book

Article ID: 281477

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

Running VIP Authentication Hub, when configuring rule to exclude IP network 192.168.0.0/24, as

192.168.0.0/24

"<Rule1>"

- Apply condition if: Value is outside configured IP Address or range

Then even if caller IP is in the IP Address range, the condition is applied.

The Kibana logs report:

Feb 9, 2024 @ 09:122:38.834 192.168.0.35

OPA AuthnPolicy evaluation: finalResponses:[effect=allow,obligation=null,rulesMatched=[<Rule1>],policiesMatched=[<Policy1>],reAuthenticate=false,acr=urn:iam:acr:cat1:multiauth,mfa Frequency=EveryTime,authLevel=0, effect=allow,obligation=null,rulesMatched=[<Rule2>],policiesMatched=[<Policy1>],reAuthenticate=false,acr=urn:iam:acr:cat1:multiauth,mfa Frequency=OnceForTrustedDevice,authLevel=0]

As per documentation, indeed, ipAddress can be used in a rule to determine if a "single or a multi-factor authentication should be imposed upon the user" (1).

Resolution

Upgrade VIP Authentication Hub to 3.1 to fix this issue.

Additional Information

Policies
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-2/Admin-Console/Admin-Console-Policies.html

Feedback

thumb_up Yes

thumb_down No