Thanks for the quick response and sorry for the slow reply...
I should not have said endpoint since that is a CP product. I meant in general the CP VPN client. Although we are going to be deploying Endpoint Security in the future, we are currently dealing with connecting to an embedded GAIA device via the CP mobile VPN client for Windows. Are there settings on the gateway or management, through policy or db edits, where we can disable the credential caching?
When testing, I login using my credentials which includes using Duo for 2FA. The Duo 2FA should not be an issue since it's a proxy between the CP gateway and the LDAP server. The CP gateway sends the LDAP request to the Duo proxy which then forwards that request to the LDAP server. Once the Duo proxy receives the successful LDAP response it will hold that response and reach out to the Duo service for the 2FA push. Once it receives the successful 2FA authentication for the user then it will release the successful LDAP auth response to the CP gateway.
I wanted to give a quick overview of the LDAP/2FA before because we only get the Duo 2FA on the initial connection. After that initial connection, the CP VPN authenticates without ever hitting the Duo proxy. Since we do not get that Duo 2FA prompt, I know it's using cached credentials.
2FA is a requirement, so we have to find a way to stop this CP VPN from caching the credentials with something besides an Endpoint Security setting.