Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

This thread has been viewed 8 times

  • 1.  Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    Posted Nov 26, 2017 08:01 PM

    Unfortunately for me, my current job as an IT Director probably rests on nailing a major project deliverable within the next ~5-7 business days.

     

    I only have one full time network/security engineer, so we hired a consulting company to help us with integating:

     

    Duo MFA,

    Palo Alto VPN,

    and Clearpass

     

    Our goal was "simple" -- have a user log into the Palo Alto Global Protect VPN, confirm auth with DUO MFA, and then pass Clearpass OnGuard posting checking, before finally being placed into one of a handful of authorized VLANs (based on security groups in AD).

     

    Right now, we have all of this "almost working" but with a Duo proxy server (some sort of RADIUS server?). The problem is that the Duo proxy server only talks MS CHAP v2 and the Palo only talks CHAP. The consultant looked at getting the Duo working directly with Clearpass instead of the Palo, but so far no joy.

     

    So, our current goal is to use Duo MFA directly with Clearpass (via an API ?) to place users coming in via the Palo VPN into a particular VLAN. 

     

    ANY assistance (guides, links, etc) is most sincerely appreciated. Please let me know if you need more info, and I can have my network engineer post here as well.



  • 2.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    EMPLOYEE
    Posted Nov 27, 2017 08:31 AM
    You'd need to set up the DUO on-prem RADIUS server as a Token Server in ClearPass and use that as your authentication source.

    Note: none of this has been tested.


  • 3.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    Posted Nov 27, 2017 08:42 AM
    @cappalli wrote:
    You'd need to set up the DUO on-prem RADIUS server as a Token Server in ClearPass and use that as your authentication source.

    Note: none of this has been tested.

    That sounds interesting! Didn't know on-prem was an option.



  • 4.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    EMPLOYEE
    Posted Nov 27, 2017 08:45 AM
    You mentioned it in your previous post ☺

    The DUO proxy is an on-prem component.


  • 5.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    Posted Nov 27, 2017 08:50 AM

    Ahh that one. I was envisioning someone more robust. :)



  • 6.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    Posted Nov 27, 2017 08:33 AM
    The only ways I know how to do this are using the "Duo proxy server" or using the MFA settings built into the CPPM Guest weblogin pages.

    For your deployment it might be worth looking into the weblogin MFA settings. Perhaps you could direct user to a weblogin page on CPPM and auto log them in with anonymous credentials and enable Duo MFA. This way your users will see a webpage telling them what they need to do with Duo and once they've passed Duo authentication you can assign a different role or whatever you want to do.

    I don't think there's any direct access into the Duo API (like you mentioned) for this purpose that's been setup by anyone that I'm aware of. I'd be interested to hear about it if there was.


  • 7.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    Posted Nov 30, 2017 08:25 PM

    Did you get this sorted?

     

    We have a forum as well for these type of questions: https://community.duo.com/

     

    Cheers

     

    EDIT:

     

    You can integrate using the Duo Authentication Proxy if you like, documentation for that can be found here: https://duo.com/support/documentation/radius This is pretty quick but has an on prem component, and doesn't support a bunch of the features that the Duo Prompt provides. https://guide.duo.com/prompt

     

    There is also a direct integration that makes use of the Authentication Prompt and has many more features, you can use this against your captive portal page to find Duo as an available MFA provider. Aruba has more complete documentation on this available. 



  • 8.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    Posted Dec 05, 2017 04:20 AM

    Many answers - no reply. Did you not get to keep your job? Or you fixed it and now leave us hanging her? ;)

     

    Palo Alto has DUO Proxy as Authentication Source. The DUO Proxy has Clearpass as it's Radius. Setup is found here:

    https://duo.com/docs/radius#radius

    Don't think MSCHAPv2 vs CHAP should be a problem with that setup.

     

    Now - over to the OnGuard part. Thats probably more tricky, but still doable. The clients needs access to https for the posture asessment to go through. Remember to use the exact same username during Radius authentication as with the Onguard WEBAUTH as that is required for VPN auth with posture to work.



  • 9.  RE: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

    Posted Oct 04, 2020 02:33 PM

    The solution to this situation can be used using a universal alternative to user login adfs authentication as a 2FA method, as well as using dfs sso, for the convenience and simplicity of such login in the future, because the system generates a one-time password using security tokens, which makes this approach very universal, especially adfs server makes this analogy more accessible and reliable.