Re: Protecting workstations with Duo

[Greg Williams <gwillia5 () UCCS EDU>]

We have done this, but very little.  In fact, I’ve only done this for my workstations.  Works great with wired 
workstations, but does not work as well for laptops.  The workstations are usually wired, so you have direct 
connectivity to DUO.  If you don’t have internet, there are 2 choices, you can either force MFA or bypass it, but 
what’s the point of MFA if you can bypass it with losing internet connectivity.  This is the case for laptops with 
wireless connectivity.  You can get it to work, but it will require that you allow and use pre-authorized 1 time 
passcodes.

Haven’t integrated it with Group Policy, but you do have to be enrolled in DUO before you get it working.

Bottom line is that it’s secure, but a pain if you can’t guarantee that you will have internet connectivity.

Greg Williams, ME
Director of Networks and Infrastructure
Information Technology

Adjunct Faculty
Department of Computer Science – College of Engineering and Applied Science

University of Colorado Colorado Springs
1420 Austin Bluffs Parkway, (EPC 136A)
Colorado Springs, CO 80918
www.uccs.edu<http://www.uccs.edu>


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Emily 
Harris
Sent: Wednesday, June 7, 2017 11:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Protecting workstations with Duo

I'm curious if anyone has deployed (or is thinking of deploying) MFA on their workstation logins via Duo.  It looks 
like it can be done, but it isn't very straight-forward.  It requires a local workstation client, and to manage the 
users via Group policy.

Our goal is to require MFA for admin accounts only (for now).  I'm wondering if anyone has already deployed this.  
Thanks!

----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221