Rules Engine Concepts

Updated 1 week ago by admin

Cloud MFA comes with a set of preconfigured Rules (the MFA Rule and the Bypass Rule). Most users will have no need to make any further changes. Before editing the MFA Rules, or creating your own Rules, check whether the default setup serves your needs.

Adding new MFA Rules

To add a new Rule, visit your USS Dashboard and click ProductsMFARules.

Click to create a new Rule. Given the Rule a sensible name, and choose the Authentication Client for which this Rule will be used.

Your installation might only have one installed Authentication Client.

Click . Your new Rule will be created, and displayed in the Rule Editor.

The MFA rule editor follows a similar layout to the rules editor from other Cloud USS products, such as Web Security.

Set the Rule to Active

By default, new Rules are not set to Active. Click the Active toggle to On.

Change the Rule name

If you want to change the name of this Rule, you can do so using the field in the top right. You can also give the Rule a short description.

Set the Risk Thresholds

Each authentication attempt processed by Cloud MFA is assigned a Risk value. This value represents the likelihood of this authentication attempt being malicious or fradulent. By default, each Rule treats a Risk value lower than 22% as Low Risk and a Risk value higher than 51% as High Risk. If you want to change those values, you can do using the Risk Threshold sliders.

Changes to the threshold values will only affect the Rule you're editing. Any other Rules will keep the values they've been assigned.

Add a Condition

To add a Condition under which this Rule will trigger, simply drag and drop a Condition from the Conditions box to the Selected Conditions column.

If a Rule has no Conditions, it will automatically trigger for all users.
AD Group

To limit this Rule to only triggering for users in specific Active Directory groups, use this Condition.

Time

Use this Condition to increase the Risk value of this authentication attempt if it does not occur within a specified time period.

When you this Condition, you will be able to choose to add Risk points. Doing so will increase the Risk value for this authentication attempt by the chosen value if the Condition is violated. You could for example choose to add 10 Risk points if the authentication attempt is made between 3am and 6am.

Adding a Time Condition does not automatically deny authentication attempts that fall outside the specified time period. If you want to guarantee that attempts made outside the specified time period will always fail, set the Risk value for the Time Condition to 100.
By default, a Time Condition will be violated if the authentication attempt does not occur within the specified timeframe. If you wish the Condition to be violated if the attempt does occur within the timeframe, use the button to toggle the logic from Allow to Deny.
Geo-location

Use this Condition to increase the Risk value of this authentication attempt if does not originate from an IP located in a specific region or regions.

When you this Condition, you will be able to choose to add Risk points. Doing so will increase the Risk value for this authentication attempt by the chosen value if the Condition is violated. You could for example choose to add 10 Risk points if the authentication attempt originated from territories other than the UK and the USA.

Adding a Geo-location Condition does not automatically allow or deny authentication attempts that don't meet the criteria. If you want to guarantee that attempts that don't meet the geo-location criteria will always fail, set the Risk value for the Geo-location Condition to 100.
By default, a Geo-location Condition will be violated if the authentication attempt does not originate from the specified location(s). If you wish the Condition to be violated if the attempt does originate from those locations, use the button to toggle the logic from Allow to Deny.
Source IP

Use this Condition to increase the Risk value of this authentication attempt if does not originate from an IP located in a specific range.

When you this Condition, you will be able to choose to add Risk points. Doing so will increase the Risk value for this authentication attempt by the chosen value if the Condition is violated. You could for example choose to add 10 Risk points if the authentication attempt originates from an IP address outside your corporate domain.

Click , and use the button to add an IP range. The value needs to be a valid CIDR mask, eg 10.0.0.0/24.

Adding a Source IP Condition does not automatically allow or deny authentication attempts that don't meet the criteria. If you want to guarantee that attempts that don't meet the criteria will always fail, set the Risk value for the Source IP Condition to 100.
By default, a Source IP Condition will be violated if the authentication attempt does not originate from the specified IP range. If you wish the Condition to be violated if the attempt does originate from a specific range, use the button to toggle the logic from Allow to Deny.

Add First Factors

Once you've added any appropriate Conditions to your Rule, you'll need to choose the First Factor authentication method that this Rule will offer.

As usual, you do this by dragging and dropping a tile from the First Factors box to the appropriate column. When editing an MFA Rule, there are three available columns: Low Risk, Medium Risk and High Risk. You can add a First Factor authentication method to each of those three columns.

For most Rules, First Factor authentication consists of a Auth Client First Factor in the Low Risk column, and a Deny First Factor in the Medium Risk and High Risk columns. Unless you have a specific need, you should configure your Rule to also follow this pattern.
Auth Client

Adding this First Factor will force the Authentication Client with which this Rule is associated to be the first factor for authentication.

Deny

If this First Factor is triggered, the user will be prevented from authenticating.

If an authentication attempt triggers a Deny First Factor, no further Rules will be processed for that attempt.

Add Second Factors

Each Rule can offer the user a number of second factor authentication options.

As usual, you do this by dragging and dropping a tile from the Second Factors box to the appropriate column. When editing an MFA Rule, there are three available columns: Low Risk, Medium Risk and High Risk. You can add Second Factor authentication methods to each of those three columns.

You can add more than one Second Factor to each column. If a column contains more than one Second Factor, they will be processed in order from top to bottom.
If the First Factor for a column is set to Deny, you will not be able to add any Second Factor.
Soft Token Push

The user will be prompted to authenticate using the Entrust ST (Soft Token) smartphone app.

SMS / Email

The user will be required to enter a One-Time Passcode. The passcode will be sent automatically, either by SMS text message or by email.

You can choose whether this Second Factor prioritises SMS or Email using a setting in Product Configuration.
Hard / Soft Token

The user will be prompted to complete a soft token or hard token challenge.

Smart Push

The Smart Credential Puish feature automatically prompts the user to authenticate on their mobile device. This requires the user to have installed the Entrust ST smartphone app.

Changing the default behaviour for First Factor and Second Factor authentication

Your Cloud USS installation comes with a default Rule, called MFA. To change the priority for First and Second Factor authentication for your users, simply edit this Rule.

  1. Visit your USS Dashboard and click ProductsMFARules. Double-click the MFA Rule to edit.
Your MFA Rule will be named after the Authentication Client you're using. For example, if you've added RADIUS as an authentication client, your default MFA Rule will be called RADIUS - MFA.

The MFA rule editor follows a similar layout to the rules editor from other Cloud USS products, such as Web Security.

The default order for Second Factor authentication is:

  • Smart Push
  • Soft Token Push
  • Hard / Soft Token
  • SMS / Email
  1. If you want to change the order, just use the arrow icons to move each Second Factor up or down in the list.

Allowing certain users to bypass Second Factor authentication

Adding an authentication client will automatically create two Rules - the MFA Rule and the Bypass Rule. The Bypass Rule - which is initially disabled by default - can be used to allow a subset of your users to bypass Second Factor authentication.

  1. Double-click the Bypass Rule to edit it.
  2. Add an AD Group Condition to the Selected Conditions column.
If you're using the Bypass Rule, you must at a minimum add an AD Group Condition to the Rule. Without this Condition, the Bypass Rule will apply to all your users (allowing all your users to bypass 2nd-factor authentication, which is almost certainly not what you want).
  1. Click on your new AD Group Condition, and choose the AD group that contains the users who will be allowed to bypass Cloud MFA authentication.

Like other Rules, the Bypass Rule is made up of Conditions and First Factor Actions. Unlike other Rules, though, the Bypass Rule has no Second Factor Actions. That means that, for users who meet the conditions of this Rule, no further challenge will be issued after initial login. It is therefore strongly recommended that you add an AD Group Condition, and strictly limit access to the AD group you select.

Use the Bypass Rule with caution. Allowing a subset of your users to bypass second-factor authentication inherently exposes your Cloud MFA installation to exploitation.
  1. Make sure that the toggle is set to On.
  2. Click to save the changes you've made to your Bypass Rule.


How did we do?