06-18-2018 08:20 AM
I have a customer who is using 2FA for wired dot1x.
Their requirement is to not prompt the machine for username/credentials everytime the machine unplugs and plugs for 8 hours.
The user comes int the morning and enters its username and 2FA and then can seamlessly move around for next 8 hours.
Any thoughts on if and how that can be achieved ?
Maybe if we can dump authenticated machines hitting various authorization rules into identity groups the first time they authenticate and then purge them at the end of the day.
Solved! Go to Solution.
06-20-2018 02:54 PM
With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.
Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential.
06-19-2018 09:45 AM
What about machine cert plus cached user cert or creds?
Or machine cert plus CWA flow or using CWA with 2FA perhaps? Not sure if possible but endpoint could be registered to a endpoint group for day perhaps.
06-20-2018 02:54 PM
With username/password you can cache credentials in the supplicant so you do not need to re-type them with every new authentication. I'm not aware of how you can cache a token. You have chosen a very secure authentication method - welcome to the side effect! Suggest you consider certificates which can be automatically presented as Jason suggested.
Letting an endpoint on for a set time (8 hours) is usually only done with Guests where the consequences of a MAC spoof would be fairly inconsequential.
06-21-2018 07:26 AM
Thanks Jason and Thomas for your inputs
Jason, I already discussed possibility of using CWA but customer does not want to add another flow. Besides MAC spoofing is a big risk.
Thomas I did discuss the same thing with customer that they will have to make a trade off between security and user experience. They have very strict instructions from their management to only use 2FA for NAC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide