Example Device Restrictions Configuration Sequence When Using the IIJ ID Service CA

This section describes an example of the sequence to configure device restrictions using the IIJ ID Service CA.

The IIJ ID Service CA issues client certificates. Users can issue client certificates themselves by using the IIJ ID Service CA.

[ Reference ]This example configuration sequence is provided given the following circumstances.

You can change the actual configuration sequence in accordance with your environment.

Set the period during which users can register their devices at the login screen. Provide guidance to users so that devices will be registered during this period. After this period elapses, prevent users from registering their devices at the login screen. Preventing the registration of devices at the login screen helps to prevent attackers that have obtained user ID and password information from registering devices and gaining unauthorized access.

1. Configure Device Certificate Authentication (ID Administrator)
 1.1 Configuring the IIJ ID Service CA

1.2 Enabling Multi-factor Authentication as the User Login Rule

Configure the login policy as follows.

  • Enable "Restrict which devices can log in using client certificates."
  • Enable "Allow device registrations during login process (only when using IIJ ID Service CA)."
2. Register Devices (user)
 2.1 Registering Devices
3. Change Login Policies (ID administrator)
 

3.1 Enabling Multi-factor Authentication as the User Login Rule

Configure the login policy as follows.

  • Enable "Restrict which devices can log in using client certificates."
  • Disable "Allow device registrations during login process (only when using IIJ ID Service CA)."