I'm part of the local government and work with the Department of Emergency Services, which includes Fire Rescue and EMTs. Each vehicle like truck and ambulance has its own laptop not connected to a domain (they use local accounts) and access the internet through a FirstNet hotspot. They're utilizing NetMotion to VPN into our network and run their Dispatch software, which is similar to what the deputies use.
Recently, new guidelines from the FBI and our state law enforcement have mandated that anyone who can access Criminal Justice Information Services (CJIS) information must use Multi-Factor Authentication (MFA). Even though the EMTs primarily deal with Fire/Rescue calls, there's still a connection to the Sheriff Office's network, so MFA is deemed necessary.
Currently, we use DUO for MFA in our county, but I'm unsure of the best way to implement this for the EMTs. If we connect them to the domain and require YubiKeys, we run into the issue of cached credentials before they connect via NetMotion, and the personnel on call can frequently change mid-shift. It's not practical for them to log in if they are already on the road either.
I proposed running MFA behind the NetMotion connection, but I was told the MFA step needs to happen at the laptop login. Another consideration is switching to CradlePoints with an IPSec tunnel connection, though that would come with additional costs. Lastly, there's the concern of losing a YubiKey, or the risk of it breaking in the USB port, which complicates operations for public safety in emergencies.
4 Answers
Does NetMotion actually support DUO for MFA during a VPN connection? I’ve seen some setups where DUO could function similarly to OKTA at login, but I’m not sure about the specifics with NetMotion.
I don't have a definite answer, but I'd love to know how you handle situations where a new crew member hasn't logged in yet during a shift change. Delays caused by MFA logins can be critical in emergencies. While they can get directions over the radio, that's definitely slower than the dispatch software.
In my opinion, you should domain join the laptops and give each firefighter usernames. Once you have them on the domain, you can install DUO for MFA at laptop login, as long as there’s an active network. Set a policy for password caching for 24 to 48 hours on those machines so they can log in without hassle when they're in a hurry. It’s a bit of a hassle, but ideally, they should get logged in during shift change when both teams are around for a handover. You might also want to look into having the VPN active before the laptop login—this could simplify things for you. If you can’t manage that, consider asking the sheriff's IT department for their approach.
I've got some insight on this! We use always-on VPN through Palo Alto, connected to a local domain. The laptops boot up and connect to the internet through CradlePoints. They sign in, receive a DUO prompt, and then the VPN kicks in. We're also working towards Entra join on Toughbooks. The latest CJIS policy does allow for using certificates and YubiKeys here. Users authenticate off Entra AD using passwordless YubiKeys and enter a 6-digit PIN. If they lose or break a key, you can assign a backup one, and you can also set up temp passwords if needed. Plus, Entra allows web sign-in with MFA via MS Authenticator too, which could give you options beyond VPN before login, but using YubiKeys or MS Authenticator for SAMl on the VPN should also work well.
Thanks for the info! We're looking into setting up our GCC tenant with Entra AD as a potential solution.
Yeah, I raised the same concern, and it seems like nobody really has a solution. It feels more like an unfunded mandate from above without practical ways to implement it.