Skip to main content

Access Control

SecTrail MFA provides comprehensive access control policies based on location, time, IP address, and user behavior.

Policy Types

Geo-Location Policies

Access control based on the user's geographical location.

  • GeoIP Database: Automatic country/city detection
  • Whitelist/Blacklist: Allow or block specific countries
  • Granular Control: Application or user-based policies

Time-Based Policies

Restricting authentication to specific timeframes.

  • Business Hours: Allow access only during working hours
  • Maintenance Windows: Block access during maintenance
  • Time Zone Support: Configuration for multiple time zones

IP-Based Controls

Managing access based on source IP addresses.

  • IP Whitelisting: Allow specific IP ranges
  • IP Blacklisting: Block known malicious IPs
  • Dynamic Lists: Threat intelligence integration

User Blocking

Blocking specific users or groups from authentication.

  • Manual Blocking: Administrator-initiated user suspension
  • Automatic Blocking: Failed login thresholds
  • Temporary Locks: Time-limited blocks

CAPTCHA Protection

CAPTCHA challenges to prevent automated attacks.

  • Failed Login Trigger: Show CAPTCHA after X failed attempts
  • Bot Detection: Prevent brute-force attacks
  • reCAPTCHA Integration: Support for Google reCAPTCHA

MFA Bypass Policy

Allow users who recently completed a full MFA to skip additional factors within a configurable time window.

  • Per-Application Scope: Bypass state is independent per application
  • User Filtering: Apply to all users or only users matching a specific attribute/group
  • Configurable Window: 1 minute to 24 hours
  • Priority Ordering: Multiple policies evaluated in order; first match wins

Policy Enforcement Levels

Access control policies can be applied at multiple levels:

  1. Global Level: All applications and users
  2. Application Level: Specific RADIUS clients or SSO applications
  3. Group Level: Specific user groups
  4. User Level: Individual users

Policy Combinations

Multiple policies can be combined for comprehensive security:

Example: Secure VPN Access
├── GeoIP: Allow only from Turkey
├── Time: Business hours (Mon-Fri 08:00-18:00)
├── IP Whitelist: Corporate IP ranges
└── CAPTCHA: After 3 failed attempts

Best Practices

  • Start Permissive: Begin with looser policies and gradually tighten them
  • Comprehensive Testing: Verify that policies do not block legitimate users
  • Monitor Logs: Regularly review access denials
  • Layered Policies: Use multiple policy types for defense-in-depth
  • Whitelist Critical Users: Ensure administrators can always access
Important

Access control policies are evaluated BEFORE authentication factors. Blocked users will not be prompted for MFA.

Test

Use the "Policy Simulation" feature to test policies before applying them to production.