Perform the following steps to configure Logon Filter:
Install the Advanced Authentication Logon Filter component on all Domain Controllers.
Enable Logon Filter through the Advanced Authentication - Administrative Portal:section > > switch to .
Create the following two groups in Active Directory:
Legacy logon – add all users to the group (you can just add the Domain Users group to its members).
MFA logon – this should be an empty group.
(you can use any names for the groups)
Navigate in the Advanced Authentication - Administrative Portal:
> specify a used Active Directory repository > scroll down > expand > scroll to the bottom.
Point Legacy logon tag to the Legacy logon group and MFA logon tag to the MFA logon group.
NOTE:Legacy logon tag must point to a group in the Active Directory that must include all the users. It should be a custom group. The built-in groups like Domain Users are not supported. The users can be members of the group directly or you can add another custom group with users to the group. MFA logon tag should point to an empty group in Active Directory. When a user logs in, Logon Filter checks the user’s authentication. If the user uses the Advanced Authentication, then the user is automatically moved to the group specified in the MFA logon tag field
Scroll up and enter a Password in the Repository Settings.
Scroll down and click
Wait for a minute.
Ensure that Advanced Authentication Windows Client is installed on all required workstations.
When you are ready to prohibit logon on all workstations which do not have the AA Windows Client installed, configure the Microsoft policyin the Default Domain Policy or a custom GPO to allow logon for only MFA logon group using the following steps:.
On a Domain Controller, open Group Policy Management Editor by entering gpmc.msc in the search box.
Double-click the name of the forest, double-click Domains, and then double-click the name of the domain in which you want to join a group.
Right-clickand then click
In the console tree, expand and navigate to> > > > >
In the right pane, double-click
Specify a group which is pointed in the MFA logon tag.
Clickin the Properties dialog box.
NOTE:The above steps prohibits the users without NetIQ Windows Client installed (only on workstations joined to the domain) from logging on to the workstations. A user with the NetIQ Windows Client installed will be automatically moved from a group pointed to the Legacy logon tag to a group pointed to the MFA logon tag.