Educause Security Discussion mailing list archives

Re: MFA/2FA Implementation Questions

From: Jamie Schademan <Jamie.Schademan () CWU EDU>
Date: Tue, 4 Feb 2020 17:24:24 +0000
Hello,
We too are implementing the Microsoft MFA and so far, have only done so for our IT staff accessing 0365.  So not very 
far.  We use Shibboleth for SSO into our main portal of applications.  We also use Radius to authenticate remote users. 
Is there anyone else with this type of setup that can provided some insight?

Thanks in advance,
Jamie

[cid:image002.png@01D5DB3B.BA77BB60]
Jamie Schademan, CISM
Chief Information Security Officer
Information Security Services
Jamie.Schademan () cwu edu<mailto:Jamie.Schademan () cwu edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Bandy, John
Sent: Tuesday, February 4, 2020 9:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] MFA/2FA Implementation Questions

Caution: This email originated from outside the university.
Do not click on links, open attachments, or reply unless you recognize the sender and know the content is safe. If you 
have questions about this email please forward it to cwuservicedesk () cwu edu<mailto:cwuservicedesk () cwu edu>.



I responded via REN-ISAC.  Let me know if you would like to have a more in depth conversation.


John Bandy
Chief Information Security Officer
Technology Services

205-726-2692<tel:+1205-726-2692> | office
205-726-2692 | fax
JBandy () Samford Edu<mailto:JBandy () Samford Edu>
Twitter<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2FSamfordInfoSec&data=02%7C01%7Cjamie.schademan%40CWU.EDU%7C15cdcaa6a5de4e8a192208d7a994053c%7Cf891d6c191d6444ba700d371910716c7%7C0%7C0%7C637164325524985193&sdata=X%2BTRxCTCPjLQRcaiMh2k%2B5M3zUWonq0EIK2C1Z2%2FN6w%3D&reserved=0>
800 Lakeshore Drive
Birmingham, AL 
35229<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmaps.google.com%2Fmaps%3Fq%3D800%2BLakeshore%2BDrive%2C%2BBirmingham%2C%2BAL%2B35229%2C%2BUS&data=02%7C01%7Cjamie.schademan%40CWU.EDU%7C15cdcaa6a5de4e8a192208d7a994053c%7Cf891d6c191d6444ba700d371910716c7%7C0%7C0%7C637164325524985193&sdata=cEssbTCwu7J9129npbgsuomMvNUbwHZGDn7pRt2RaKQ%3D&reserved=0>

[mford Samford University Logo]



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Pardonek, Jim
Sent: Tuesday, February 4, 2020 9:26 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [EXTERNAL][SECURITY] MFA/2FA Implementation Questions

Hi All,

Our MFA project has hit a few snags and our senior leadership is asking us to gather more information from other 
schools to identify and potential issues.

Rather than Duo, the university opted for Microsoft and although mostly smooth so far, we still have some nagging 
problems that keep coming up.

One that has come up as of late is modern auth support for android email.  Seems like 3 months ago, the answer for 
anyone with an android was install the Outlook client.  What we have been finding is that Samsung phones, for example, 
S7 or later that have a minimum email client version of 6.1.01.0 work with modern auth.  Given the rabbit hole that 
androids can make. We are now being asked to test as many makes, models and versions of android phone that we can get 
our hands on.  If anyone has done this research, we would appreciate any insight.

I've asked this on a previous post but got no responses but thought I'd ask again regarding exception groups.  Our 
current stance is to except Board members, Council of Regents and alumni. We would be interested in seeing what other 
schools are doing.

Lastly if you would be kind enough to share any pitfalls, constraints and roadblock as well as implementation 
recommendations, we would greatly appreciate it.

Thanks in advance.


James Pardonek, MS, CISSP, CEH, GSNA
Associate Director
Chief Information Security Officer
Loyola University Chicago
1032 W. Sheridan Road | Chicago, IL  60660

*: (773) 508-6086

Loyola University Chicago will never ask you for your username or password.
For the latest information security news at Loyola, please follow us online,
Twitter: @LUCUISO
Facebook: 
https://www.facebook.com/lucuiso/<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=02%7C01%7Cjamie.schademan%40CWU.EDU%7C15cdcaa6a5de4e8a192208d7a994053c%7Cf891d6c191d6444ba700d371910716c7%7C0%7C0%7C637164325524995187&sdata=Ct6VjWQXITpcBWocVaOsOUKMT0JcF4lNsmvd%2BmEVjKk%3D&reserved=0>
Our Blog 
http://blogs.luc.edu/uiso/<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblogs.luc.edu%2Fuiso%2F&data=02%7C01%7Cjamie.schademan%40CWU.EDU%7C15cdcaa6a5de4e8a192208d7a994053c%7Cf891d6c191d6444ba700d371910716c7%7C0%7C0%7C637164325524995187&sdata=WbU5k6%2FBJrTB1sc43AkPlCXv00NsGwvzUS62AJX65dM%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecure-web.cisco.com%2F15Le7rT49HxIRVnrGiiz4iZkUzcmOtq5St0E0n-tQbXUTexhS7NadPHV8NQGW-6axhQSWXK4nFKHmnOSnhVYq_pHwtYtxiG1DxlpAri_xfvlG8ZhRJKf-Hsb1Kz6VmONlt40PX3y5OcbgL5Xvs0r-wwnjLV3Sq63nJr_3PD3p0BwsRAZ1FORqeMKmxvgP71rErjqvYluVSZrD0QF867o3gilLAvzvs1LfrfsujLAJemXEZOHenOT7IKG0R89wJIx6J1hMCOfvkIzXdvxMk0m5PTCLkBiGW1_cGdRlM0xRUFKTWsWvtWLiyY0zU9T8cpetpQiVPYCNBauUeO--ENiFEQ%2Fhttps%253A%252F%252Fwww.educause.edu%252Fcommunity&data=02%7C01%7Cjamie.schademan%40CWU.EDU%7C15cdcaa6a5de4e8a192208d7a994053c%7Cf891d6c191d6444ba700d371910716c7%7C0%7C0%7C637164325525005181&sdata=64aFcAIucetGpQpoiymF3sDYGaf%2BVgwHU7o5sJK3c%2F8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjamie.schademan%40CWU.EDU%7C15cdcaa6a5de4e8a192208d7a994053c%7Cf891d6c191d6444ba700d371910716c7%7C0%7C0%7C637164325525005181&sdata=i32nkP1w09zGvWrzMx2UNZipCzlY%2BrOzo0muK59F1Fc%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

MFA/2FA Implementation Questions Pardonek, Jim (Feb 04)
- Re: MFA/2FA Implementation Questions Barton, Robert W. (Feb 04)
- Re: MFA/2FA Implementation Questions Blake M Bourgeois (Feb 04)
- Re: MFA/2FA Implementation Questions Bandy, John (Feb 04)
  - Re: MFA/2FA Implementation Questions Jamie Schademan (Feb 04)
- Re: MFA/2FA Implementation Questions Greg Williams (Feb 04)