Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
1
Helpful
3
Replies

CJI new MFA compliancy

tiffany202
Level 1
Level 1

‎08-19-2024 11:51 AM

I just wanted to know if there were other organizations that are facing similar issues with the MFA requirement for CJI assessing devices. https://www.police1.com/cybersecurity/3-ways-to-meet-the-new-cjis-mfa-requirements

We have a department trying to implement this change with certain workstations. We are trying Duo authentication for Windows logon and facing a couple dilemmas given the connection type with some of these (some being internet connect, others not as such). We've looked at Duo tokens and Yubikeys which seem to work alright. It will create a challenge of users keeping up with it (if they don't utilize the Duo app). Will tokens only work on online devices? Is there any way to set up a proxy to bypass the use for this?

Just wanted to see if anyone was in a similar predicament or had suggestions before the Oct 1 deadline. 

0 Helpful
3 Replies 3

ccieexpert
Spotlight
Spotlight

‎08-19-2024 06:14 PM

you can use a proxy for windows login.. you have to configure it.

https://duo.com/docs/rdp

0 Helpful

tiffany202
Level 1
Level 1
In response to ccieexpert

‎08-20-2024 07:04 AM

I see the only mention of proxy is in step 2. Are those the only details/instructions for it? I believe we ran a test with the Log on with the API hostname, but were trying an alternative for some of the limited connectivity pcs that may or may not use local logins.
0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎08-20-2024 10:17 AM

The HTTP proxy support in Duo for Windows Logon is intended for the use case where you have Windows systems on a limited-access network that does not have direct outbound access to Duo's cloud service, but that limited-access network does have persistently available access to an HTTP proxy on an accessible, adjacent network and can therefore proxy out requests to Duo's cloud service via the upstream HTTP proxy.

This is not a solution for an individual Windows system that sometimes has no connectivity to the internet nor to any HTTP proxy on an accessible network.

For Windows systems that experience temporary periods without connectivity to Duo's service, we added support for offline logins: https://duo.com/docs/rdp#offline-access. The way this works is that users are able to enroll an offline 2FA factor (The Duo Mobile app or a U2F security key) for that specific Windows system, and can use that to log in when the system has no connectivity to Duo's cloud service.

The offline access feature isn't intended as a solution for persistently disconnected Windows systems as it does require a periodic refresh of offline policy.

Yubikey OTP (passcode-generating) hardware tokens only work for **ONLINE** Duo Windows logins, not for offline Duo Windows logins. But, you can get a Yubikey that does both OTP and U2F and be able to use it for both online and offline 2FA.

Duo, not DUO.
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents