2FA broke google authentication for mobile users

Ahoste
Getting noticed

2FA broke google authentication for mobile users

Hi all,

 

We are using Google authentication via splash page for our staff in our HQ. 

this was all working (relatively) fine until we forced 2FA for all our users out for security reason.

 

now this is still fine for them to authenticate on laptops/macbooks but when they want to authenticate on an iphone that is also their 2FA device it will ask them to go to google mail app or text app to allow the login attempt. once they go to another app it stops the authentication process on the phone and you have to start from scratch, sending you in loops unless you try to connect without authenticating and then do the process in safari on the iphone which will not stop the authentication process when going to another app to allow the login.

but obviously that is not something we can ask our staff to do.

 

I blame Apple for this.

 

anyhow i found a workaround that applies a policy based:

Schermafbeelding 2020-08-19 om 17.37.06.png

The 'mobile device' policy then bypasses the splash page. and assigns the device to our guest VLAN so they have less access to the network since they don't have to authenticate.

 

Does anybody have another 2FA workaround or are there any flaws to this workaround?

 

thanks in advance,

cheers

2 REPLIES 2
Ahoste
Getting noticed

short update, the assigning a policy pré-splash page like a did here doesn't work either. it worked a couple of times where the splashpage just said successful and u would click done and you'd be connected. those times must've been flukes because now on my iphone it still shows the splashpage and asks me to log in. 

shame

Foxder
New here

@Ahoste We have the same issue. We have 2FA turned on which means that iPhone users can't login from their mobile devices since anytime they navigate away from the splash page it closes. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.