Multi Factor Authentication Posture Check

 

Overview

This guide goes over how to enable and set up MFA Posture check for endpoints. A console administrator can create multiple posture checks with MFA settings.  Like other posture checks in NetFoundry, the MFA posture check is applied at APPWAN level. 

NOTE:  Network versions prior to 7.3.37 which had MFA enabled in the APPWAN will see a new posture check by the name "zitimfa" and this posture shall be automatically applied to the APPWAN once the network is upgraded to 7.3.37 and above.

Multi Factor Authentication Posture Check options

Authentication is the process of verifying the identity of an user for providing the access to the systems. In authorization process, user’s authorities are checked for specifying access rights/privileges to resources in the system.

Authentication is done before the authorization process.

You will need to authenticate with MFA token when you start your laptop (ie ziti service is started) once to access any APPWAN if your identity is MFA enabled. Thereafter, subsequent MFA authorization is as per the APPWAN's MFA policy . 

MFA Options Function
MFA RE-CHECK ON WAKE Forces endpoints on Laptop/ Desktop systems to enter a valid MFA code on WAKE from SLEEP. Failure to do so will disconnect the endpoints from associated APPWAN services.
MFA RE-CHECK ON UNLOCK Forces endpoints on Laptop/ Desktop systems to enter a valid MFA code when the system is unlocked from locked mode. Failure to do so will disconnect the endpoints from associated APPWAN services.
MFA RE-CHECK DURATION Forces endpoints on Laptop/ Desktop systems to enter a valid MFA code at a desired periodic interval. Failure to do so will disconnect the endpoints from associated APPWAN services.
SUPPORTED ENDPOINTS ONLY Allows endpoints that do not support MFA to remain connected and the MFA settings shall not apply.

Configure MFA Posture Check

To create new MFA posture check, go to Posture Checks section and click on the "+" symbol and in the 'Select Posture Type' drop down, select option - 'Multi Factor Authentication'

mceclip0.png

mceclip3.png

To edit the default MFA posture check "zitimfa" you must

  1. Go to Posture Checks section
  2. Select the posture check named "zitimfa". 
  3. Click on the 3 dots and select edit

mceclip1.png

mceclip0.png

mceclip0.png

1. MFA RE-CHECK ON WAKE

'MFA RE-CHECK ON WAKE' option forces endpoints on Laptop/ Desktop systems to enter a valid MFA authorization code on WAKE from SLEEP. Failure to do so will disconnect the endpoints from associated APPWAN services.

To enable, toggle the 'MFA RE-CHECK ON WAKE' to 'Yes' and click 'Update'.

mceclip1.png

Note

If the endpoint is added to multiple APPWANs and some of the APPWANs do not have MFA posture check re-check on wake enabled, following behaviour is expected for MFA prompt.

  • MFA authorization code will be prompted for the services which are part of APPWANs with MFA posture check 're-check on wake' enabled, when the Laptop/ Desktop wakes up from sleep after 5 minutes.
  • For APPWANs wich do not have MFA posture check re-check on wake enabled, MFA authorization code with be prompted if the Laptop/ Desktop wakes up from sleep after 30 minutes.

2. MFA RE-CHECK ON UNLOCK

MFA RE-CHECK ON UNLOCK forces endpoints on Laptop/ Desktop systems to enter a valid MFA authorization code when the system is unlocked from locked mode. Failure to do so will disconnect the endpoints from associated APPWAN services.

It takes 5 minutes from the time of Laptop/ Desktop getting into locked mode, for MFA authorization code to be prompted.

To enable, toggle the 'MFA RE-CHECK ON UNLOCK' to 'Yes' and click 'Update'.

mceclip2.png

3. MFA RE-CHECK DURATION

MFA RE-CHECK DURATION forces endpoints on Laptop/ Desktop systems to enter a valid MFA authorization code at a set periodic interval. Failure to do so will disconnect the endpoints from associated APPWAN services. 

To enable, toggle the 'MFA RE-CHECK DURATION' to 'Yes' and input the required Hours/ Minutes. 

  • MFA recheck will reset if there was a recent check due to Unlock / Wake.

mceclip3.png

4. SUPPORTED ENDPOINTS ONLY

To allow endpoints that do not support MFA (Ex : Linux desktop edge, Ziti mobile edge, etc) to remain connected, toggle the 'SUPPORTED ENDPOINTS ONLY' to 'Yes' based on the requirement. 

mceclip4.png

APPLY MFA POSTURE CHECK IN APPWAN

To apply MFA posture check in the APPWAN, go to the Posture check section in the APPWANs configuration and select the required posture check policy name and hit update.

In the below example, we are adding "zitimfa_new" in the POSTURE ATTRIBUTES field to enable Multi Factor Authentication in the APPWAN.

mceclip7.png

mceclip8.png

Setting Up MFA on the Client/Endpoint

NetFoundry used "TOTP" based authentication for MFA. You can use any TOTP app / solution of your choice.

After enrolling an identity click on it and open the detail page. On the detail page click the toggle to enable MFA:

MFA Initialization

 

NOTE: User can set up MFA on the windows edge client at any time once the identity is enrolled.  This will not impact your service access UNTIL you/your administrator enables MFA on a given APPWAN.

 

After toggling the toggle, a QR Code will be generated and displayed and will look like:

  1. Shows the QR Code. Use your mobile to scan the code into an authenticator application of your choice.
  2. If a OTP-style application is installed and is mapped on the system to open links starting with otpauth://
  3. Show Secret will show you the secret that can be used to manually install the token into an authenticator app
  4. Once the token is imported into the authenticator app - enter the 6-digit code into the "Authentication Code" field and click the button to enroll the identity for MFA.

MFA Initialization

 

Post MFA Enrollment

After enrolling the identity it will be automatically authorized for the current session and recovery codes will be shown. Save these recovery codes as they will be needed in case the token is ever lost. 

These recovery codes will be your only backup if you lose your MFA, so it is important to save them somewhere safe.

The detail screen will change and show two new icons:

  1. The first icon will show the recovery codes for the identity if needed
  2. The lock icon show the MFA status and represents if the identity has successfully been authorized.

MFA enrollment codes

 

You can click the recovery code icon on your endpoint to save the codes if you missed saving them during MFA enrollment

 

mceclip3.png

Authenticating Using a Time-based One-time Token

After being enrolled should the session become invalid the lock icon will change to a yellow color and be shown on the main page. Click on the lock icon on either screen or click the "Authenticate" button on the detail page to initiate authentication.

MFA Main Page Auth Needed MFA Detail Page Auth Needed

A dialog will be shown. Enter the code and complete authentication.

MFA Main Page Auth Needed

 

The services shall load on your endpoint only after the MFA token has been authenticated and the endpoint, authorized. 

Manage MFA

After setting up MFA, you will see that under MANAGE ENDPOINTS, the endpoints attached to the APPWAN that you enabled MFA will now show YES under Enrolled MFA.

mceclip0.png

Reset MFA:

MFA reset may be needed if the user has changed the device that's running MFA TOTP authenticator app or the app itself. Hit the hamburger menu against the endpoint and select reset MFA.

 

mceclip1.png

Note that you can reset MFA from the endpoint by disabling MFA in the endpoint and enabling again.

mceclip2.png

Both the above options will require the user to add the account again in the TOTP app. 

MFA Timer Prompt:

The timer icon will come up in the WDE UI against the identity <= 20 minutes to MFA expiry time.

Ex : if the MFA authorization is set to be prompted at 12:30 PM, the timer icon will come up at 12:11 PM

You might also get a notification under Windows notifications.

mceclip4.png

Was this article helpful?
2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.