IP Authentication

Christopher Dakin

Introduction

With LogonBox, as well as adding regular authentication methods, you can also add another step to the authentication flow which checks the user's IP address and either allows or blocks access based on this IP.

This article explains how to configure your LogonBox to use this Authentication method.

 

1. Configuring the Authentication Scheme

It is important to note that you can apply different authentication flows for six different types of logon: User Logon, Password Reset, Client, Account Unlock, SSO and Admin Logon.

Each of these can have their own default authentication flow configured, but for this article we shall alter Password Reset.

Navigate to Authentication->Schemes->Password Reset. Note that by default this is configured with a yellow Username module and a green Security Questions one.

First note the colour of the IP Authenticator module, which is red. This means that this module can be combined with any of the other modules, but does not in itself establish the identity of a user. Hence you must use this module in combination with either a yellow or a blue module. Red modules themselves can be placed anywhere in the authentication flow, even before a yellow or blue one.

Let’s keep the existing Username and Security Questions modules and click the plus icon next to IP Authenticator to add it into the authentication flow.

As this module can be placed anywhere, it makes a lot of sense to place it at the start of the authentication flow so that the user's IP address is validated first. Simply drag the module from its default position over to the left of Username and click Save at the bottom.

 

Now we need to configure which IP address to allow or block. Click on the edit icon inside the IP Authenticator module to start adding rules.

You may add individual IPs (both IPv4 and IPv6) to Allowed or Blocked IPs or you can define network ranges by using CIDR notation.

The example below shows both IPv4 examples, where we have set the local network to allow, but are specifically blocking access from a single IP.

You may also set the Unauthorized Message that appears when users are being blocked.

Click Apply when you have added the rules you require.

 

2. Testing

As we have configured this scheme for Password Reset, to test this click on the Reset Password link on the main LogonBox portal.

 

The IP Authenticator is an invisible module. If the user is connecting from an Allowed IP address, the authentication flow will continue immediately on to the next module, which in this example is Username.

 

If the IP is not allowed you will get a message at the lower right of the screen saying that you are not authorised.

The next module will then be shown, however all attempts to further complete the authentication scheme will result in an authentication failure.