Question regarding MFA

Hi All,

I want to enable MFA on the Default policy however i cannot configure MFA on my windows PC when MFA is forced?

This is with MFA forced


This is without MFA force


I dont understand how it works, How can I force MFA on a tunnel without being able to configure it on the client because it needs to authenticate which i cant because i dont have MFA yet?

Hi @toms24x7,

You'd add a posture check to accomplish this. When you create the service-policy, you can add a posture check to that policy. You'd make a posture check that verifies MFA. With the ziti cli it would look something like:

ziti edge create posture-check mfa ....
ziti edge create service-policy --posture-check-roles ...

hope that helps and makes enough sense. If not, we can go from there

@TheLumberjack
I got the posture check working but now im running into the issue that i cant reauthenticate anymore.
Not even with the recovery codes, looks like the Authenticate button does nothing.

However this based on the bind and dial policy's right? Because when i enabled the posture checks on the policies and then forced MFA via the auth policy i still couldnt create a MFA option.

My issue with re authenticating happend after i let the timer run out, after a few restarts of the Ziti program i could authenticate again, works now.

That should not be necessary. Can you look through the logs for related errors? My guess is that your local clock and the controller clock are out of sync. They must be in sync for MFA to work reliably/properly. If they are not, you get a situation like you describe where it only "kinda works some of the time" ... (we have seen clocks drift in the past and this issue comes up)

That worked, my clock was 5 min out of sync :slight_smile:

1 Like