We have laptops setup to use 2 factor authentication on logon. Windows natively handles the caching of AD credentials properly (and can be configured via group policy). However, NetIQ does not allow for configuration of the offline OTP cache. To my knowledge, the offline OTP cache is 10 lookups; the lifetime is not obvious. Every successful logon, the local client appears to recalculate the next 10 OTP presses and caches this information for use. Our VPN is setup such that authenticating to it also requires an OTP press. When the user connects successfully, the VPN allows them to contact the server directly, at which point the network OTP cache is used. The network OTP cache depth is configurable. The problem is that if the user fails to authenticate to the VPN properly (e.g. network turbulence prevents the tunnel from being established), they can eat up all 10 valid OTP presses such that the next time they try to unlock the laptop, their user account is locked out. The workaround that we suggest is that if the user fails to authenticate to the VPN in a couple of tries, to lock and then unlock the laptop -- this refreshes the local cache. However, this is burdensome on the user and is unforgiving if they forget. We would like to increase the offline OTP cache size so that is less likely to be an issue.
by: Mike R. | over a year ago | Configuration
Comments
This would be very beneficial in my environment
We will investigate this. I will update this suggestion as we progress.
Andrew, Are you using HOTP? This would only work for HOTP (as it is instance based) and would have no effect on TOTPs.
We identified this potential issue as well however as we are using YubiKeys as HOTP tokens, we are having our users authenticate to workstations with the YubiKey acting as a U2F token. This helps reduce the probability that it happens.
Troy, yes I'm using HOTP
We are scoping this feature. We believe that setting the 'window' may already do this.