Overview
This guide goes over how to enable and set up MFA Posture check for endpoints. A console administrator can create multiple posture checks with MFA settings. Like other posture checks in NetFoundry, the MFA posture check is applied at APPWAN level.
NOTE: Network versions prior to 7.3.37 which had MFA enabled in the APPWAN will see a new posture check by the name "zitimfa" and this posture shall be automatically applied to the APPWAN once the network is upgraded to 7.3.37 and above.
Multi Factor Authentication Posture Check options
Authentication is the process of verifying the identity of an user for providing the access to the systems. In authorization process, user’s authorities are checked for specifying access rights/privileges to resources in the system.
Authentication is done before the authorization process.
You will need to authenticate with MFA token when you start your laptop (ie ziti service is started) once to access any APPWAN if your identity is MFA enabled. Thereafter, subsequent MFA authorization is as per the APPWAN's MFA policy .
| MFA Options | Function |
| MFA RE-CHECK ON WAKE | Forces endpoints on Laptop/ Desktop systems to enter a valid MFA code on WAKE from SLEEP. Failure to do so will disconnect the endpoints from associated APPWAN services. |
| MFA RE-CHECK ON UNLOCK | Forces endpoints on Laptop/ Desktop systems to enter a valid MFA code when the system is unlocked from locked mode. Failure to do so will disconnect the endpoints from associated APPWAN services. |
| MFA RE-CHECK DURATION | Forces endpoints on Laptop/ Desktop systems to enter a valid MFA code at a desired periodic interval. Failure to do so will disconnect the endpoints from associated APPWAN services. |
| SUPPORTED ENDPOINTS ONLY | Allows endpoints that do not support MFA to remain connected and the MFA settings shall not apply. |
Configure MFA Posture Check
To create new MFA posture check, go to Posture Checks section and click on the "+" symbol and in the 'Select Posture Type' drop down, select option - 'Multi Factor Authentication'
To edit the default MFA posture check "zitimfa" you must
- Go to Posture Checks section
- Select the posture check named "zitimfa".
- Click on the 3 dots and select edit
1. MFA RE-CHECK ON WAKE
'MFA RE-CHECK ON WAKE' option forces endpoints on Laptop/ Desktop systems to enter a valid MFA authorization code on WAKE from SLEEP. Failure to do so will disconnect the endpoints from associated APPWAN services.
Note
If the endpoint is added to multiple APPWANs and some of the APPWANs do not have MFA posture check re-check on wake enabled, following behaviour is expected for MFA prompt.
- MFA authorization code will be prompted for the services which are part of APPWANs with MFA posture check 're-check on wake' enabled, when the Laptop/ Desktop wakes up from sleep after 5 minutes.
- For APPWANs wich do not have MFA posture check re-check on wake enabled, MFA authorization code with be prompted if the Laptop/ Desktop wakes up from sleep after 30 minutes.
2. MFA RE-CHECK ON UNLOCK
MFA RE-CHECK ON UNLOCK forces endpoints on Laptop/ Desktop systems to enter a valid MFA authorization code when the system is unlocked from locked mode. Failure to do so will disconnect the endpoints from associated APPWAN services.
It takes 5 minutes from the time of Laptop/ Desktop getting into locked mode, for MFA authorization code to be prompted.
To enable, toggle the 'MFA RE-CHECK ON UNLOCK' to 'Yes' and click 'Update'.
3. MFA RE-CHECK DURATION
MFA RE-CHECK DURATION forces endpoints on Laptop/ Desktop systems to enter a valid MFA authorization code at a set periodic interval. Failure to do so will disconnect the endpoints from associated APPWAN services.
To enable, toggle the 'MFA RE-CHECK DURATION' to 'Yes' and input the required Hours/ Minutes.
- MFA recheck will reset if there was a recent check due to Unlock / Wake.
4. SUPPORTED ENDPOINTS ONLY
To allow endpoints that do not support MFA (Ex : Ziti mobile edge) to remain connected, toggle the 'SUPPORTED ENDPOINTS ONLY' to 'Yes' based on the requirement.
APPLY MFA POSTURE CHECK IN APPWAN
To apply MFA posture check in the APPWAN, go to the Posture check section in the APPWANs configuration and select the required posture check policy name and hit update.
In the below example, we are adding "zitimfa_new" in the POSTURE ATTRIBUTES field to enable Multi Factor Authentication in the APPWAN.
Setting Up MFA on the Client/Endpoint
Enrolling MFA from Ziti Desktop Edge for Windows