AuthNull Conditional Access – FAQ & Best Practices
1. Basics – Understanding Conditional Access
What is Conditional Access in AuthNull?
Conditional Access in AuthNull allows administrators to control user access to critical systems (Linux, DBs, AD, RADIUS) based on a calculated risk score, time-bound sessions, and behavior-based conditions such as device state or network changes.
What types of systems does Conditional Access protect?
It supports:
- Linux-based endpoints
- Databases (e.g., MySQL, PostgreSQL)
- Active Directory (AD)
- RADIUS devices
What is a Risk Score in AuthNull?
A risk score (1 to 10) is assigned to each access attempt. It is based on factors like:
- Number of failed MFA attempts
- Device posture (unknown/jail-broken)
- Session behavior (e.g., switching IPs mid-session)
- Geo-location anomalies
The default block threshold is 8, but this can be configured per policy.
Is Conditional Access enforced in real time?
No — it is evaluated at the time of policy enforcement, not continuously during a session.
2. Policy Configuration & Best Practices
How do I create a Conditional Access policy?
- Log in to the AuthNull platform.
- Go to Policy Section > Create Policy.
- While defining the policy, you can optionally enable Conditional Access.
- Define risk thresholds, time conditions, and scope (users/resources).
Note: Conditional Access is handled on the backend but must be explicitly enabled when creating policies.
Best Practices:
- Use templates to standardize access policies across teams or environments.
- Begin with audit-only mode (if supported) to observe behavior before enforcement.
- Separate policies by access level — e.g., more strict for production or root users.
- Monitor risk scores via logs and adjust thresholds as needed.
3. Device Compliance & Risk-Based Policies
What increases or decreases a risk score?
Increases:
- Multiple MFA failures
- IP or device change during session
- Access from unregistered or suspicious device
Decreases:
- Successful login from a known, trusted device
- Consistent behavior from expected location/network
Does the risk score decay automatically?
No, it only reduces via trusted behavior (e.g., successful logins). It does not expire over time.
Can we block high-risk sessions automatically?
Yes — if the calculated score exceeds the threshold defined in your policy (e.g., 8), access will be denied.
4. Location & IP Restrictions
Can we restrict access based on country or IP?
Yes, during policy creation you can configure:
- Allowed IP ranges
- Blocked geographies
- Restrictions for unknown or Tor-like IPs
What happens if access is attempted from an unauthorized region?
The access request is denied or challenged, based on the policy.
5. App-Specific Policies
Can I apply different Conditional Access rules to different systems?
AuthNull uses uniform policy logic, but you can define separate policies per application/resource.
Example:
- Policy A for Linux endpoints (lower risk threshold, more MFA)
- Policy B for AD (stricter time windows, geo-locking)
6. Troubleshooting
A valid user was denied access — why?
Check:
- Risk score at time of access
- Policy threshold (did they exceed 8?)
- Device trust level
- Login time restrictions or IP restrictions
Device marked non-compliant — what should the user do?
- Ensure device is registered
- Connect from a known IP/location
- Use updated OS and avoid tampered devices
7. Reporting & Monitoring
Can I view access logs related to Conditional Access?
Yes. Navigate to: Monitoring > Access Logs and filter by:
- Risk Score
- Access Result (Allowed/Denied)
- Policy Triggered
Are there alerts or automated reports?
Currently:
- No real-time alerts
- Manual or scheduled exports are available (CSV, JSON)
8. Advanced Features & Integrations
Does AuthNull support Just-In-Time (JIT) Access?
Yes — time-limited access windows can be configured within policies.
Can I configure Conditional Access via API?
Yes — AuthNull supports API and CLI methods for policy creation and updates.
Is policy chaining or logic supported?
Yes, partial support (~50%). You can define multiple conditions, but complex chaining (like "if this AND that THEN allow") may be limited.
Does AuthNull integrate with identity providers like Okta?
Yes, Okta is supported. Other providers may work but are not fully verified.