Configuring Authentication Modes

After you have enabled access authentication and synchronized user groups, you can further control authentication by configuring authentication modes for address scopes to which certain users or devices belong. Using authentication mode provides you with the flexibility of mandating authentication for certain users while allowing others to bypass authentication.

You start by creating an IP space you use to associate with a host that has the Access Authentication service enabled. You then configure address blocks or subnets in the IP space and tag the address scopes with the predefined tag of “IB_Onprem_AuthN” and provide either “Exclude” or “Include” as the key value. You can then go to the host with which you have associated the IP space, so you can configure authentication modes for the address scopes you created.

To configure authentication modes, complete the following:

1. From the Infoblox Portal, go to Configure > Networking > IPAM/DHCP.

2. On the Address Spaces page, click Create > IP Space to create an IP space to which you add address blocks or subnets, as described in Configuring IP Space.

3. On the Address Spaces page, click Create > Address Blocks or Create > Subnets to add an address scope to the newly created IP space, as described in Creating Subnets. Ensure that you do the following when creating an address block or subnet:

   • Choose the IP space you just created.

   • Choose the host you want to associate with the IP space. Ensure that the host has the Access Authentication service enabled.

   • Add the “IB_Onprem_AuthN” key tag and enter “Exclude” as the key value if you want to exclude from the address block from authentication or enter “Include” to include the address scope for authentication. For information, see Managing Tags.

4. After you have successfully created the IP space and address scopes, go to Manage >Infrastructure > Services.

5. Choose an existing Access Authentication service you want to add an authentication mode, and then click Edit.

6. In the Edit Access Authentication wizard, scroll down and choose the address scope from the table, and then complete the following.

   • Tagged Authentication Mode: Choose one of the following mode for the chosen address block:  

     • Disabled: The tagged authentication control is disabled. All clients must be authenticated. 

     • Exclusions: Clients from the address scopes tagged for exclusion will bypass authentication. Other clients outside of the address scopes must be authenticated. 

     • Inclusions: Clients from the address scopes tagged for inclusion must be authenticated. Other clients will bypass authentication.

     • Both: Clients from the address scopes tagged for inclusion and clients from untagged address scopes must be authenticated. Clients from the scopes tagged for exclusion will bypass authentication. 

7. Click Save & Close.