Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
1
Helpful
3
Replies

Avoid username password prompt everytime a workstation unplugs/plugs

Go to solution
umahar
Cisco Employee
Cisco Employee

‎06-18-2018 08:20 AM

I have a customer who is using 2FA for wired dot1x.

Their requirement is to not prompt the machine for username/credentials everytime the machine unplugs and plugs for 8 hours.

The user comes int the morning and enters its username and 2FA and then can seamlessly move around for next 8 hours.

Any thoughts on if and how that can be achieved ?

Maybe if we can dump authenticated machines hitting various authorization rules into identity groups the first time they authenticate and then purge them at the end of the day.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-20-2018 02:54 PM

With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.

Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-19-2018 09:45 AM

What about machine cert plus cached user cert or creds?

Or machine cert plus CWA flow or using CWA with 2FA perhaps? Not sure if possible but endpoint could be registered to a endpoint group for day perhaps.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-20-2018 02:54 PM

With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.

Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential.

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to thomas

‎06-21-2018 07:26 AM

Thanks Jason and Thomas for your inputs

Jason, I already discussed possibility of using CWA but customer does not want to add another flow. Besides MAC spoofing is a big risk.

Thomas I did discuss the same thing with customer that they will have to make a trade off between security and user experience. They have very strict instructions from their management to only use 2FA for NAC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents