Requirement:In addition to the user knowing a pin or a password to get access to the network through ClearPass, you might want the user to go through Multi-factor authentication (MFA) that requires multiple factors, or proofs of identity. This article covers the integration with one of the MFA vendor Duo Security with ClearPass version 6.6. This is only supported in ClearPass version 6.6 and later.
Solution:This article covers the integration of Clearpass with Duo for MFA
Configuration:Once we have a Duo Subscription it allows us to choose the application that we want to protect with MFA and you need to choose Aruba ClearPass as the application as shown in the screenshot below
Once we choose ClearPass as the application, Duo generates the Integration Key, Secret Key, API Hostname for our application and we would need these details to configure Duo on the ClearPass web login page so that ClearPass can establish communication with Duo.
Duo also allows you to change the name of the application and also the greeting for the user when it calls the user for validation. All that can be configured in Duo upon requirement.
Also note that you can sync Duo with Active directory to import users from AD without them having to enroll manually.
On ClearPass under web login page settings from ClearPass version 6.6 onwards we have a section for Multi-Factor Authentication that allows to choose the MFA vendor and configure.
We need to choose Due Security - Two Factor Authentication as the vendor.
As mentioned earlier the Integration Key, Secret Key and API Hostname are provided by Duo, however we also need a Duo AKEY which needs to be generated by us and this is something that stays within ClearPass configuration and Duo does not need to know this. Duo documentation tells us how we can generate the AKEY. According to that we can use the following python statements to generate it.
import os, hashlib
print hashlib.sha1(os.urandom(32)).hexdigest()
Once we execute these statements in a machine running python it generates a 40 character Hex key which is the AKEY and we can put it in the ClearPass settings page.
Once all these settings are configured, everything else is very similar to regular captive portal work flow. You can configure pre-auth on ClearPass to make sure that users are entering valid credentials before moving on to MFA.
VerificationOnce the user hits the web login page configured for MFA, the user would initially see the regular webpage prompting for a username/password
After the user enters a valid username and password they would be redirected to a page that presents him the Duo MFA options, which is where the user has to choose the method they wish to authenticate themselves
If the user is not enrolled in Duo depending on the "New user policy" on Duo, he would be prompted to enroll and install the Duo App.
The user can choose any one of the options shown above and provide the 2nd factor of authentication.
For a push notification the user would be alerted on his mobile/device through the Duo app as seen from the screenshots below
Once you hit approve you would get another push notification to confirm the login
Once the user confirms the login then the authentication process would proceed to the next step of posting credentials based on the login mechanism, after passing which provides the user with network access.