Skip to main content

Hi Netskope community, 

 

I’ve deployed NPA for my company for several years now, with the re-auth feature enabled (every X days). This feature is leading to some difficulties in autopilot context + comes with few “bug” here and there, with complains from few users requiring to manually re-auth.

 

While reviewing those problems, I’m challenging the utility of this feature in my context:

  • I have Windows 11 environment, all devices hybrid joined
  • when the auth expired, there is a popup appearing, getting the local windows auth token automatically and disappearing by itself after few seconds
  • I have a conditional access rule in azure disabled MFA for NPA app when it comes from trusted corporate device.
  • Nobody in the company had to enter credentials because the auth is always OK since it comes from local windows session.

In this situation, for windows corporate laptop, I’m wondering if there is any reason to enable this feature from a security standpoint.

I know that Netskope is recommending to activate this (https://docs.netskope.com/en/secure-tenant-configuration-and-hardening/) but don’t see the point in this context.

Any opinion here ?

 

Where I see a benefits is more for non-corporate devices (partners) where the local windows session is a non-corporate one, hence the auth dedicated to NPA is relevant here.

 

 

@RobinT

In your current configuration, it’s only adding value if the device is non compliant by adding another layer of MFA if the user is accessing Private Apps without their device being compliant.   If the user is on a compliant device then they will see the popup, get transparently reauthed and then continue their NPA session. 

I’d suggest evaluating requiring the MFA for NPA reauth regardless of compliance if this is needed based on your organizational posture and policy. 

One other comment I’d be interested to hear more on is how it’s created challenges in Autopilot.  In general, Autopilot should complete with the Prelogon user who should not receive the reauth prompt at all.  

 


Hi Sam, 

 

thank you for your answer, appreciate.

For the autopilot part, we face some difficulties at the phase 3 of it: it sounds like at the stage, we are in “user context”, not anymore in the pre-logon context, hence there is the re-auth mechanism in place. And since R123, the re-auth occurs at the very beginning, not at the end of the grace period as it was before, and giving us the time to complete the phase 3. 

During this phase 3, the prompt for auth is not working as expected, hence failing. Maybe it’s hidden by the autopilot wizard or something else. 

 

We are about to revert this behavior (there should be a new flag since yesterday to control that).

 

Happy to have more extensive discussion on this if you can help us. This is quite painful topic for us.

 

Regards, 

Robin

 


Reply