Client Policies
  Download PDF

How To Create a Client Policy

This documentation will explain you how to configure a client policy on WebADM.

1. What is a Client Policy ?

A Client Policy provide per-client application access control and customized configurations. The Client Policy objects are also used to customize the behavior of a client application (ex. a VPN server using OpenOTP Authentication Server).

You can create a client policy object having the name of a Web Service’s client ID. For example, you use the client names as displayed in the WebADM log viewer for the client object names. When a client is defined, any request from the corresponding client application (ex. a VPN server with matching client ID), will obey to the defined client policy.

For a client, you can restrict users able to use the client application with allowed and excluded group lists. And you can define some Web Service settings which will always be enforced for the client. For example, you want the VPN to authenticate users with LDAP+OTP passwords and Token, whatever policy is defined for the user.

2. How To Create a Client Policy on WebADM

First, login on the WebADM Graphical Unit Interface. Click on the Admin tab and you will find a box named Client Policies.


Click on it and on the next page, click on Add Client :


Enter a Common Name, if you want a description and click on Proceed :


On the next screen, click on Create Object button.

Client Policy object is now created. We are now able to configure this client policy.

Note

WebADM can match a policy with a client application through the client ID, NAS-Identifier or IP of the client.

2.1 Example of Client ID, NAS-ID or IP…

For OpenOTP Credential provider for Windows :


I can put WINDOWS in the client ID field and create a client policy named WINDOWS on WebADM.

Example for Pulse Secure :


NAS-Identifier is MyPulse so I will create a client policy named MyPulse in WebADM to match the policy with my Pulse VPN.

If you are not able to configure a NAS-ID or Client ID on your application, you can match a client policy with the IP address of your client. The IP address of your client should be configured in the client policy itself. When you edit the client policy, you can found a setting named Client Name Aliases. Put the IP address of your client here and policy will match during an authentication.


Note

With the Client Name Aliases setting, you are able to match many clients with only one client policy. You just have to put IPs comma-separated.

3. Client Policy Configuration

Go on the Client Policy menu and click on CONFIGURE on the policy previously created. You are now in the client policy configuration. Many settings can be applied here like which users/groups/networks the client policy will be applied, allowed/excluded hours, which domain …

If you scroll down a little bit, you will find the setting named Forced Application Policies.


Check the box on left and click on the Edit button. On the next screen, you are able to completely reconfigure an application.

In our example, we will choose OpenOTP :


So, you can choose every setting you want and reconfigure OpenOTP application for this client. The client policy overides the default application settings, user and group settings.

After editing the configuration, you can click on the Apply button to save the configuration.

Note

You can also add additional settings by networks or override some settings by group.


4. Logs to Show if a Client Policy Match

Try an authentication on your client application, login on the WebADM GUI and click on Databases tab. In the System Log Files section, click on WebADM Server Log file.

[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] New openotpSimpleLogin SOAP request
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] > Username: administrateur
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] > Domain: yorcdevs.com
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] > Password: xxxxxxxx
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] > Client ID: NETSCALER
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] > Source IP: 192.168.3.115
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Enforcing client policy: NETSCALER (matched client ID)
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Registered openotpSimpleLogin request
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Resolved LDAP user: CN=Administrateur,CN=Users,DC=yorcdevs,DC=com (cached)
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Resolved LDAP groups: propri\xc3\xa9taires cr\xc3\xa9ateurs de la strat\xc3\xa9gie de groupe,admins du domaine,administrateurs de l\xe2\x80\x99entreprise,administrateurs du sch\xc3\xa9ma,administrateurs,utilisateurs du bureau \xc3\xa0 distance,groupe de r\xc3\xa9plication dont le mot de passe rodc est refus\xc3\xa9
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Started transaction lock for user
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Found user language: EN
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Found 1 user mobiles: +3520000000
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Found 1 user emails: xxxxxx@rcdevs.com
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Found 3 user certificates
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Found 38 user settings: LoginMode=LDAPOTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=Yes,ChallengeTimeout=90,MobileTimeout=30,PushLogin=Yes,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,MOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,LastOTPTime=300,ListChallengeMode=ShowID
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Found 10 user data: LoginCount,RejectCount,OTPPrefix,TokenType,TokenKey,TokenState,TokenID,Device1Name,Device1Data,Device1State
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Found 1 registered OTP token (TOTP)
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Requested login factors: LDAP & OTP
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] LDAP password Ok
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Challenge required
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Sent push notification for token #1
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Waiting 28 seconds for mobile push response
[2017-12-06 14:21:05] [192.168.3.56]  [OpenOTP:LZ33NOWW] Received mobile request (authentication)
[2017-12-06 14:21:05] [192.168.3.56]  [OpenOTP:LZ33NOWW] > Session: kq7sxP3OabLXpygI
[2017-12-06 14:21:05] [192.168.3.56]  [OpenOTP:LZ33NOWW] > Encoded OTP Password: xxxxxx
[2017-12-06 14:21:05] [192.168.3.56]  [OpenOTP:R8MFCYSQ] Found challenge session started 2017-12-06 14:21:01
[2017-12-06 14:21:06] [192.168.3.115] [OpenOTP:R8MFCYSQ] PUSH password Ok (token #1)
[2017-12-06 14:21:06] [192.168.3.115] [OpenOTP:R8MFCYSQ] Updated user data
[2017-12-06 14:21:06] [192.168.3.115] [OpenOTP:R8MFCYSQ] Sent success response

You can show in the previous transaction logs, that the client ID passed by the client application is NETSCALER and the client match with a client policy.

[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] > Client ID: NETSCALER
...
[2017-12-06 14:21:01] [192.168.3.115] [OpenOTP:R8MFCYSQ] Enforcing client policy: NETSCALER 
(matched client ID)

So my client policy is applied and settings defined in this policy will be require/available during an authentication.