Network Zones

A network zone helps the administrator to define a network boundary for which you can apply different authentication schemes. EAA allows you to configure network zones for certificate validation, bypass MFA, and IWA providing more customization, flexibility for your authentication policies.

You can add up to 1000 IPs/CIDRs to each of the network zone and have 10 network zones per tenant.

• You can add the network zones as a bypass MFA criterion, allowing MFA to be bypassed when the user is within these network zones. When the user is outside of the network zone, MFA will be enforced.

• You can add the network zones as a criteria for certificate enforcement policy, allowing certificate-based authentication to be bypassed when the user is within these network zones. When the user is outside of the network zone, certificate validation is enforced for successful authentication.

• You can add the network zones as an Integrated Windows Settings criteria, allowing IWA to be used only when the user is in these network zones. When the user is outside of the network zone, IWA is not enforced.

📘

Note

Network Zones are supported by the Akamai identity provider only. EAA Open API support is not there for network zones.

Select the Akamai IdP provider you want to add the network zones from the IdP list page. Go to the Settings of your Identity provider where you want to add the network zones and select the section where you want to configure network zones. It can be configured in either the certificate validation section, MFA section, or IWA section. Once you have configured it in one section, it can be used in other sections. In this way, you can use one network zone where you can disable certificate validation for one set of users, another network zone for bypassing MFA for another set of users, and another one for integrated windows authentication.

For example, in this video, the admin creates a new network zone called “Austin Office Network Zone”, adds two IPs/CIDRs, saves them, and adds them to the Certificate validation section of the IdP’s Settings. If you check the "Manage Network Zones", the "Austin Office Network Zone" is added:

You can also upload a CSV file that has the IPs/CIDRs. For example, in this video, the admin uploads a bypass_mfa_network_zones.csv file as a bypass MFA criteria:

📘

Note

The Austin office network zone you created in the certificate validation is also visible in the bypass MFA section, if you want the same network zones to be used for bypass MFA, you can use them. In this way, you can manage your network zones by creating them in one place and using them either for certificate validation, bypass MFA, or IWA authentication schemes.

You can refer to certificate based authentication for an IdP, configuring bypass MFA as criteria for an IdP, and Configure desktop SSO for an Akamai IdP for steps to add network zones.

📘

Note

In earlier releases, you could use on premise subnets for certificate validation, bypass MFA, IWA, offload web application traffic from EAA Cloud. In 2022.01 and future use can continue to use ‘on premise subnets’ for offloading web application traffic from EAA Cloud, and use the new 'On network zones’ for Certificate validation, bypass MFA, and IWA. All existing networks configured with on premise subnets in earlier releases will be mapped to a default network within a network zone. No action is needed by the existing customers