Skip to main content

Create an auth policy

Auth policies define a set of conditions that an identity must meet to be considered authenticated and to gain access to the network. These policies establish the required criteria for a client to join and connect to the network. When creating an identity, it's assigned an auth policy (either one you specify or the system's default policy), and this policy can be updated at any time.

warning
  • Policies control the fundamental security and access of your network. Be very careful when making adjustments to any policy, as improper configuration can lock users out of the network.
  • Default auth policy: Modifying the default policy is strongly discouraged and can have widespread, unintended consequences across all identities that rely on it. It's best practice to create new, specific auth policies rather than modifying the default.

Steps

  1. From the console, select your network from the dropdown in the left-hand menu.

  2. Click Authentication from the same menu.

  3. Click the Auth Policies tab.

  4. Click the plus icon (+) to open the Create Auth Policy form.

  5. Enter a unique Name for the policy (e.g., MFA-required-policy).

  6. Configure the Primary Authentication method:

    • CERT: Toggle to YES to allow x509 certificate-based authentication. This is the most common type of authentication and is used by default.

    • EXT JWT: Toggle to YES to allow authentication via an external JSON Web Token (JWT) issued by a third-party Identity Provider. This is the mechanism used to enable standard single sign-on (SSO) flows, such as the OIDC Authorization Code with PKCE flow. This allows you to integrate with enterprise IdPs, including Azure AD, Okta, Auth0, Keycloak, and others.

    • UPDB: Toggle to YES to allow authentication using a username and password stored in the internal NetFoundry user/password database.

      warning

      This authentication method is generally not recommended for production environments. For stronger security and centralized management, we strongly advise using CERT or EXT JWT methods integrated with an existing identity provider. Also note that identities using UPDB aren't usable by client tunnelers.

  7. After selecting the primary method in step 6, specific configuration options appear. These fields are necessary to implement the chosen authentication method:

    • CERT options:

      • Allowed expired certificates: Select YES/NO. We strongly recommend enabling this toggle. Devices can be offline for long periods, and forcing certificate renewal while a device is offline can create difficult recovery situations for users. Enabling this allows the device to connect even with an expired certificate, prioritizing network reachability and connectivity stability.

    • EXT JWT options:

      • Allowed JWT signers: Select the external JWT signers (Identity Providers) that are trusted to issue tokens for identities using this policy. This links authentication to the external IdP's security domain and allows the network to verify the token's signature.

    • UPDB options: Configure the local password requirements for identities using this method:

      • Minimum length: Set the minimum number of characters required for the password.
      • Max attempts: Define the maximum number of failed login attempts allowed before the account is temporarily locked.
      • Lockout duration: Specify the length of time the account remains locked after reaching the maximum attempts.
      • Mixed case: Toggle YES/NO to require the password to contain a mixture of upper and lower case characters.
      • Numeric: Toggle YES/NO to require the password to contain at least one numeric digit (0-9).
      • Special: Toggle YES/NO to require the password to contain at least one special character (e.g., !, @, #, $).

  8. Configure Secondary Authentication (Optional):

    Secondary authentication methods are used to require an additional layer of verification after the primary authentication method is successful, increasing the overall security assurance of the identity.

    • Require TOTP: Toggle to YES to enforce the use of a Time-based One-Time Password (TOTP) application (commonly known as 2FA or MFA) for sign in.
    • JWT Signer: Select a pre-configured JWT Signer from the dropdown menu if you're using an external identity provider to handle authentication.

  9. (Optional) Toggle Show more options to ON to configure custom tags:

    • Custom tags: Use the Name and Value fields to attach non-functional metadata to the policy for tracking or inventory purposes.

  10. Click Save.

    After clicking Save, the new auth policy is available for association with any new or existing identity in the network.