Help with configuration - likely rules. I would like to allow access (without one time pass) to a few phones and maybe a tablet. I’ve seen a few projects that use IP based authentication and was thinking of doing the same. Is there a method that I can use for my mobile device (dynamic) to gain access to my self hosted services (via CF tunnel). I was thinking of getting the phone to update say a subdomain, but then I couldn’t add subdomains as IP rules. I can’t add the actual IP as it’s dynamic. Any ideas?
You won’t be able to add your hostname as an allowed source in most products because that would require a reverse DNS lookup to match it with your source IP. Since your request originates from an IP address (not a hostname), access policies need to be based on request attributes such as IP, user-agent, source country, client certificate, etc.
For your use case, Access is the best solution. You can create an application, assign it to a subdomain, and then define a policy to allow specific users based on email, client certificates, or other selectors that provide granular control.
Hi @ncano. Thank you so much for your reply. I currently do have access applications setup inside Zero Trust for my local services that I host for the family. The main problem, honestly is the wife factor. Although it may sound crazy, the monthly authentication per application is the difficult part…
So, I set out trying to think of other ways to get around the stepped authentication, one was allowlisting our internal and external (mobile phone) IP addresses. (yes, I know it isn’t as secure). But, then I run into the problem of dynamic aspect of mobile phone / telecommunication providers IP adresses. So, instead of the IP, I thought I could have a iOS shortcut / script / app that would update a subdomain for the current IP of the mobile device (say we have 2-4 at any one time). That is why I posted this thread, to see if anyone else had ideas or methods that they have achieved this.
I found many many posts with similar issues, but I couldn’t find one that was exactly the same.
So… if I can’t use the dynamic updates of a hostname, is there a way that you (or anyone else knows) that I can have a method that updates the current IP address of each device into a list or something else that I can add to the access policy of that current device to allowlist it and skip the two factor style authentication and just allow access to each application if it is coming from that IP address. Thanks