Enforce MFA on Ziti Desktop?

Tunneler Apps
1

Hi everyone.

Is it possible to tell a controller to enforce MFA on the Ziti Desktop Edge app?

2

Yes, it's possible in two different ways.

Via Service Policy

  • Create an MFA Posture Check (under the Identities section of ZAC)
  • assign that posture check to a service policy

Via Authentication Policy

  • Create an Auth Policy (under Authentication in the ZAC)
  • Check the "Require TOTP" toggle on the top right

hth

1 Like
3

Awesome! I'll try that.

EDIT: worked beautifully! Thank you!

4

@TheLumberjack if someone sets up MFA on their Desktop Edge app, they need to introduce the code every time they connect to the network (not only that, but also when they unlock their computer), so not adding an MFA posture check to a service is not enough to allow access to it when someone hasn't introduced their code. Is there a way to configure the desktop app so if the person doesn't input their MFA OTP they can still connect to the network (so the posture checks can do their job)?

5

@plorenz @emoscardini would any of you know the answer to this question?

6

I'm not quite sure I understand. You want it so that when a user connects, they are connected without MFA but there are some services that require MFA via posture check, right?

So say "user1" has access to the "no-mfa-service" if they don't enter digits while not having access to "mfa-required-service" until they add the TOTP, right?

You tried that with a posture check but that wasn't what you wanted?

7

Sort of. If someone enables MFA in the Desktop App, the only way they actually get connected to the network is by typing their code. So posture checks based on MFA are kinda redundant in that scenario. Ideally if someone has MFA enabled (but hasn't typed their OTP yet), and some services don't have a require-mfa posture check, those would be accessible. The actual behavior as of now seems to be that the person doesn't even connect to the network without typing the OTP.

8

Hrmmm. I am thinking we introduced a bug somewhere then. I always just enter my MFA code mindlessly so I might have never noticed this behavior. I did refactor the UI at some point, this might be a UI issue that I unknowingly introduced or one that snuck in at some other point and we just haven't noticed yet.

What you describe is what I would expect as well:

  • If you have TOTP required on your authentication policy, you MUST supply the TOTP code in order to connect to the network. If the auth policy doesn't force TOTP, it should not be required (as it appears you are saying)
  • If you have a TOTP posture check, you should see a little triange on your service and you should see some sort of lock icon indicating you need to add MFA for one or more services

I'll have to test this out, but it's sounding like there's a bug here... Thanks for bring it to our attention.

9

Sure! Thank you.

Let me know if I can help somehow.

10

BTW, I haven't tested this on the Windows app, just Mac OSX

11

I had a look. I made an identity with access to two service. One with, one without mfa needed. I had the same experience you had (albeit on Windows, not MacOS but it's good to know you were using mac)

We'll have to file a bug on this and get it fixed. I'm not sure when it'll get fixed exactly, but we'll do our best to fix it quickly.

1 Like
12

Hey @TheLumberjack do you have a GitHub issue or something for this? I'd like to keep track of it. I'm still kind of "selling" OpenZiti to my team and the MFA thing has been sort of a friction point for them.

13

whoops my bad! MFA needed via posture check prevents service listing · Issue #825 · openziti/desktop-edge-win · GitHub

Have a look and make sure that captures your experience, I think it does.

14

yes it does!
do we need something similar on the Desktop App's mac os repo?

15

So, shame on me but I didn't check the linux ziti-edge-tunnel nor the ZDEM/iOS but since the crux of this particular problem is with the C SDK (which all the tunnelers use), i don't THINK so... That being said, whenever the bug is fixed I prolly should try to remember to check MacOS as well. I'm sure I won't forget to do that.... :upside_down_face:

One of our engineers that needs to be involved here isn't available for a couple of weeks so to set expectations, it'll be a bit before we run this to ground. I'll set a reminder but if you don't hear back from me in 2-4 weeks on this thread (or that bug) go ahead and bump it please. Cheers

1 Like