Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
96
Views
0
Helpful
0
Replies

Protecting non-VPN Users from Spray Attacks

chris.harvey
Level 1
Level 1

‎04-25-2024 07:36 PM

I have a requirement for VPN with MFA for a subset of users, while protecting the other users from Spray attacks.  

Scenario:

  • Customer is currently implementing VPN with MFA for a defined set of users (1/3 of staff)
  • Most users do NOT have a requirement for VPN and MFA.
  • The customer is currently implementing Cisco Duo for MFA, and is currently using MS NPS for RADIUS auth to on-prem AD.  Azure AD is out of the picture for the time being.
  • The customer has a partially implemented Cisco ISE.
  • Customer uses SCCM
  • The customer does not have MS E3 licenses, or P1/P2

 

Goal:

Protect non-VPN/MFA users from being locked out due to password spray attacks.

 

Option One

Increase the Duo licenses to cover all users

Con: Can’t do this - customer has 1/3 of users covered by MFA only.

 

Option Two

Machine certs as part of the auth chain, pre-logon

Does this require move to ISE, or will it work with NPS?

Will this work prior to users entering credentials?

Any downsides?

 

Option Three

AD Group supporting allowed VPN users, all other users in an AD group that disallows VPN access.

Does Group recognition happen before or after user credentials are shared?

Is it different for NPS vs ISE?

 

Thanks

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents