Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1568
Views
0
Helpful
1
Replies

Single Sign On “Single User” Enforcement in NAM module

henrikj
Level 1
Level 1

‎08-07-2019 01:52 AM

Hi

I have a costumer that is using the Anyconnect NAM module to support eap-tls with machine certificate. By default the "Single Sign On “Single User” Enforcement" is enabled, which means that you can not change user (in windows - log off/log on). By changing a registry key you are able to disable this, but i´m not sure of the consequences by doing this.

Since i´m only using machine certificates i don´t see any issues.

Any thoughts or pros/cons ?

 

Regards Henrik

Labels:
0 Helpful
1 Reply 1

Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-08-2019 06:32 AM

Here is the reg hack:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.
0 allows multiple users to be logged on.

IMO it depends on what exactly you are trying to accomplish. Just know that if only doing computer auth for 8021x via eap-tls that if you allow multiple users that each user can piggyback off the one authenticated comp session. But like you said since you are not performing eap-chaining to also enforce user auth I agree and do not see a major issue. I am actually somewhat surprised that you are using NAM just for eap-tls with comp auth. I personally think using the native supplicant is easier if that is all you wish to accomplish.

Good luck & HTH!
0 Helpful
Customers Also Viewed These Support Documents