You create two policy rules for FIDO2 in the default access policy in the Workspace ONE Access service, a registration rule, and an authentication rule.

Prerequisites

FIDO2 authentication enabled and configured in the Workspace ONE Access service. See How to Configure FIDO2 Passwordless Authentication in Workspace ONE Access (Cloud Only)

Procedure

  1. In the Workspace ONE Access console Resources > Policies page, select EDIT DEFAULT POLICY.
  2. Click Next to open the Configuration page.
  3. To create the registration rule, click Add Policy Rule.
    Option Description
    If a user's network range is Select the network range.
    Make sure that the network ranges you select cover all end user IP addresses that are used for FIDO2 registration.
    Note: If you select ALL RANGES, validate that the IP addresses that are defined incorporate all possible end user client IP ranges.
    and user accessing content from Select the device type All Device Types.
    and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

    If no group is selected, the access policy rule applies to all users.

    and user is registering FIDO2 authenticator Enable this to Yes.
    Then perform this action Select Authenticate using....
    then the user may authenticate using Configure the authentication method that is presented to users before allowing them to register an authenticator to their account.
    If the preceding methods fails or is not applicable, then (Optional) Configure fallback authentication methods.
    Note: If you are registering FIDO2 keys from the Workspace ONE Access console, the registration policy rule is not required.
  4. Click SAVE. The Configuration page is displayed.
  5. To create the authentication rule, click Add Policy Rule.
    Option Description
    If a user's network range is Select the network range.
    and user accessing content from Select the device type All Device Types.
    and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

    If no group is selected, the access policy rule applies to all users.

    and user is registering FIDO2 authenticator Toggle to NO.
    Then perform this action Select Authenticate using.
    then the user may authenticate using Select FIDO2.
    If the preceding methods fails or is not applicable, then (Optional)
  6. Click SAVE.
  7. In the Configuration page, move the FIDO registration policy rule above the FIDO2 authentication policy rule to allow users to register.
  8. Click NEXT and then click SAVE.
    Troubleshooting Access Denied issue when signing in

    When users sign in and receive an Access Denied message, the access policy might not be configured correctly.

    • In the Workspace ONE Access console, open the Monitor > Reports page and select the Audit Events report.
    • Create the report. Select the user name and for Type, select LOGIN_ERROR.
    • Select View Details.

      In the Event Log, if the log entries display "requestParams" : "[fido2Enrollment]", "message" : "No matching policy found.", ensure the FIDO2 end user registration policy rule incorporates all necessary IP ranges. Review the ALL RANGES settings to make sure that ALL RANGES is actually all ranges.