Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
2
Replies

Windows Logon - conditional access

Go to solution
Antony-Gallez
Level 1
Level 1

‎04-27-2023 01:36 AM

Hello community,

I am in the process of feature validation for Duo and, related to Windows Logon, I was wondering if we could enfore 2FA for laptop outside the enterprise network.

In other words, if a laptop is connected to our enterprise network (directly - no VPN), 2FA is bypassed but if the user is outside, 2FA is enforced.

Regards,
Antony

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoPablo
Cisco Employee
Cisco Employee

‎04-27-2023 07:50 AM

Hi @Antony-Gallez ,

The Duo feature that allows the bypass of 2FA from specific networks is provided by the Authorized Networks policy setting.

Which applications support Remembered Devices and Authorized Networks?

When logging into Windows locally (not through RDP), the IP address reported to Duo is 0.0.0.0. Please see the following KB article that explains why this is: Knowledge Base | Duo Security

Since no actual IP address is reported during a Local Winlogon authentication, there is no way to apply the Authorized Networks policy.

I would recommend you have Duo protecting the applications themselves that users log into (to include VPN) and, if possible, move away from viewing specific networks as “trusted” so as to coincide with more of a Zero Trust architecture.

Thanks for trying Duo!

View solution in original post

0 Helpful
2 Replies 2

Go to solution
DuoPablo
Cisco Employee
Cisco Employee

‎04-27-2023 07:50 AM

Hi @Antony-Gallez ,

The Duo feature that allows the bypass of 2FA from specific networks is provided by the Authorized Networks policy setting.

Which applications support Remembered Devices and Authorized Networks?

When logging into Windows locally (not through RDP), the IP address reported to Duo is 0.0.0.0. Please see the following KB article that explains why this is: Knowledge Base | Duo Security

Since no actual IP address is reported during a Local Winlogon authentication, there is no way to apply the Authorized Networks policy.

I would recommend you have Duo protecting the applications themselves that users log into (to include VPN) and, if possible, move away from viewing specific networks as “trusted” so as to coincide with more of a Zero Trust architecture.

Thanks for trying Duo!

0 Helpful

Go to solution
Antony-Gallez
Level 1
Level 1

‎04-27-2023 09:00 AM

Hello,

Thank you for your swift reply.

This requirement comes for the customer: they want to protect Windows Logon only when outside their corporate network. 2FA is also used to secure their other business applications (incl. VPN).

Anyway, for what I understand, it is not supported.

Have a nive day.
Antony

0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents