Frequent Contributor I

Clearpass two-factor with Google Authenticator

Hi All

I am looking into two-factor authentication for wireless (client request). We have Aruba Controllers, Instants, Clearpass and Airwave in the environment.


What we want is on the enterprise WiFi (802.1x) we want to use Google Authenticator to generate a token for the user to use when connecting to the wireless.


What we had in mind is something similar to how the clients PaloAlto VPN currently works.
The connecting user folows instructions and registers with their AD domain credentials on a Palo Alto portal for VPN. They receive a QR code (or normal coded string) for their VPN after registering through the Palo Alto VPN portal - the registration uses the Active Directory Username and Password for authentication - the Google Token for the user is associated to the AD account.

Then when the user connects to the VPN using their AD credentials the Token entry appears and they enter the Token they get (this from within the Google Authenticator App) to complete the connection.


They now want the same when connecting to wireless - they want to use their AD credentials and then aswell as the Two-Factor token for authentication - this to be seperate from their PaloAlto setup.


Is this Possible and where do I start looking for information to achieve this. I am thinking of using Clearpass similar to what you would do for RSA and Fortigate Authenticators, but I have no idea where to look and start for Google Authenticator.
Any help/advice will be greatly apreciated.



Guru Elite

Re: Clearpass two-factor with Google Authenticator



So you have an existing server serving as the Google Authenticator OTP server?

Just a heads up, 802.1X + MFA for each authentication is not recommended.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Clearpass two-factor with Google Authenticator


I believe the client does have one yes - however from what I understood from the request it needs to be a seperate server.

Hence I am still looking into the server side aswell. I see there is code for Linux based Google OTP server available from what I will be looking at.


I see there a number of edits to make in the PAM module - what will be required there I am also still in the dark.

Guru Elite

Re: Clearpass two-factor with Google Authenticator

If they have an existing server, you'd just configure that as a token server in ClearPass.

As mentioned in the previous post, please do not try to do this with a traditional 802.1X authentication.

Tim Cappalli | Aruba Security
@timcappalli | | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: