This is the documentation for our RADIUSaaS Rule Engine, through which you can add an additional layer of security by defining rules that further restrict network access or by assigning VLAN IDs.
All rules you have configured will be applied after successful credential authentication, which means the rules only become effective after valid authentication credentials have been provided. This implies, in order to pass the first authentication wall, valid Trusted Roots (certificate-based authentication) or Users (Username+Password-based authentication) have to be added to your instance.
To avoid disruption of any existing instance or in case you do not want to use the Rule Engine at all, any authentication is allowed if no rule is defined by default. This is realized through our default rule Any authentication allowed.
The default rule Any authentication allowed still requires the presence of valid authentication credentials for a successful network authentication.
If you have multiple rules configured, they will be applied in the order you see in your web portal - from top to bottom.
The only exception is the Any authentication allowed rule, that will be handled as last step in case it is configured. This is especially helpful during a ramp-in scenario, where you might not be certain that your rules cover all use-cases or locations. All authentication request rejected by the prior rules will then still be accepted by the default rule. In the dashboard you are then able to observe the devices/users failing for all other rules and correct/extend the rules accordingly.
In case you end up having a large number of rules, we recommend - for the sake of maintaining high performance - to order the rules in a way that the most likely rules are hit first.
- Allow only specific authentication sources
- e.g. WiFi or LAN (VPN support is in progress)
- Allow only specific authentication types
- e.g. Certificate or Username+Password
- Allow only specific Trusted Roots
- Allow only specific Intune IDs or ignore the certificate attribute entirely
- Only allow usernames that match a Regex-pattern
- Define which SSIDs are allowed
- Define which Access Points or Network Switches are allowed (MAC-based)
Assign VLAN IDs ...
- By evaluating a custom certificate extension
- By parsing attributes in your certificate subject name