AirLock Enforcement Logic

When using Axiad AirLock, you can redirect your users to the Unified Portal to enroll or update authentication credentials, or you can block them entirely from access based on a set of criteria.

Default Enforcement

Below are the default criteria for when the Axiad AirLock will direct the user to the Unified Portal:

• If a user signs in via their Windows password (temporary or permanent).

• If a user signs in with a PKI-capable MFA device whose certificates expire within a mandatory renewal period.

• If a user signs in with a PKI-capable MFA device whose certificates expire within an optional renewal period.

  • In this case, the user is offered the opportunity to enter the Unified Portal to renew their certificate, but they will not be forced into it until they reach the mandatory renewal period.

• If a user signs in with an allowed authentication method (methods configurable)

  • Default methods include:

    • Axiad ID Winlogon provider

    • Windows Hello PIN

    • Windows Hello Facial Recognition

    • Windows Hello Fingerprint

    • Windows Hello Trusted Signal

While in the secured Unified Portal kiosk, the following enforcements are in place:

• No window controls.

• No desktop windowing environment.

• No Windows keyboard shortcuts (including CTRL-ALT-DEL, Windows Key, and others).

Exceptions

Some exceptions can be configured to where a user is either allowed in or blocked rather than redirected to the Unified Portal:

• If the user is an administrator (or another protected role SID to SID list).

• If the user is not one of a specific list of SIDs.

• If the user signs in with a non-domain user (local to the machine only).

• If the user signs in while the Unified Portal is unreachable.

• If the user signs in with an allowed authenticator.

AirLock Enforcement Flow

Note

The AirLock enforcement flow is completely customizable, so your environment may not have the same checks as you see below based on your settings.

In Axiad AirLock 2.4+, the enforcement flow is as follows:

1. User attempts a login on their Windows machine

2. AirLock checks the user’s group information

3. If the user is not part of a bypass group, then Axiad looks at the user ID information

4. If the user ID is not part of a bypass list, then Axiad checks the certificates on ANY inserted smartcard

   1. Regardless of the smartcard / authentication device being used, Axiad checks all inserted devices for certificate expiration

5. If a certificate on any of the inserted smartcards is within the renewal window, then the user is redirected to the Unified Portal kiosk to update their device

6. If the certificates are all valid (or the user does not have any smartcards inserted), then Axiad looks at the authenticator that the user employed to log into the machine

7. If the authenticator is not an acceptable authenticator (either via the authenticator bypass or required authentication type rules), then the user is redirected to the Unified Portal kiosk to enroll a suitable authenticator for their next login attempt

8. If the authenticator is acceptable, then the user is securely logged into their machine

9. If the user is redirected to the Unified Portal kiosk, then they have the opportunity to log in again once they have resolved their issue and successfully authenticate

Learn More

Learn how to configure AirLock policies and see some real examples that expand beyond the default enforcement here.