Authentication Policies with MFA Posture Checks

So, looking at Authentication policies. There is no option for creating authentication policies as asked back in November within ZAC…yet. From what I can see in the documentation, there is an article explaining what it is, what the default is, but nothing about how you would use them. For this I mean
a) Create a policy
b) Enroll and identity with it
c) Modify a policy

There was reference to a command where you can see Authentication policies here:

Also, by virtual of this feature not being in ZAC, and it appears that you can enroll an identity with an authentication policy, that you cannot do this with an identity created through ZAC?

This is the outcome that I would like to understand how best to do…
a) Enforce all heartbeat identities (Users) to use MFA
b) All service identities to not use MFA, as that would not be a good outcome

In regards to point a:
i) The user needs to MFA before ANY services are active
ii) When the screen is locked, woken from sleep, logged in, they need to (re)authenticate
iii) No time out on the session, ie if they do not trigger a re-authentication action then not prompted

Item i) and ii) is required, as identities are device based. Requirement is to not have someone else logging into the machine, and then get access to services that they are not allowed to gain access too (least privilege).

How would I achieve this?

@jeremy.tellier – let’s prioritize enabling this feature for our friend @gooseleggs ? :slight_smile:

Requirement is to not have someone else logging into the machine, and then get access to services that they are not allowed to gain access too

This one is kinda difficult to be honest. Right now the tunnelers are a “per OS” type of thing and that’s why it runs as a system service for Windows and linux. Because tunnelers are “bridging” software, they operate on the underlay and intercept/work with IP. That means once you turn a tunneler on, anyone that logs into the machine will have the capability to access any services provided by that tunneler. You can still use application level authentication to prevent the user from actually logging in to the target machine, but they’d be able to at least “get to the login page”.

We have talked about this in the past to see if there’s some more novel way for us to accomplish that sort of exclusion, but I don’t think we’ve come up with something yet.

Sure thing, I will take a look in the morning.

This is why I am asking about the timeout. Most services will have some form of authentication - effectively same as being on the underlay. Was there any documentation around how to do implement through the command line?

I’m not sure I follow? Do you mean “how to supply the mfa digits” via the command line?

Sorry, I mean create, modify, apply the Authentication policies through the command line.

Hrmmmm. Looking at the ziti CLI v0.27.3, I don’t see any CUD for auth-policies, only R (ziti edge list).

You’ll have to use the REST service for this at this time. You can find the spec and doc on your running controller: