Security

Reply
Occasional Contributor I

Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

Unfortunately for me, my current job as an IT Director probably rests on nailing a major project deliverable within the next ~5-7 business days.

 

I only have one full time network/security engineer, so we hired a consulting company to help us with integating:

 

Duo MFA,

Palo Alto VPN,

and Clearpass

 

Our goal was "simple" -- have a user log into the Palo Alto Global Protect VPN, confirm auth with DUO MFA, and then pass Clearpass OnGuard posting checking, before finally being placed into one of a handful of authorized VLANs (based on security groups in AD).

 

Right now, we have all of this "almost working" but with a Duo proxy server (some sort of RADIUS server?). The problem is that the Duo proxy server only talks MS CHAP v2 and the Palo only talks CHAP. The consultant looked at getting the Duo working directly with Clearpass instead of the Palo, but so far no joy.

 

So, our current goal is to use Duo MFA directly with Clearpass (via an API ?) to place users coming in via the Palo VPN into a particular VLAN. 

 

ANY assistance (guides, links, etc) is most sincerely appreciated. Please let me know if you need more info, and I can have my network engineer post here as well.

Guru Elite

Re: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

You'd need to set up the DUO on-prem RADIUS server as a Token Server in ClearPass and use that as your authentication source.

Note: none of this has been tested.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

The only ways I know how to do this are using the "Duo proxy server" or using the MFA settings built into the CPPM Guest weblogin pages.

For your deployment it might be worth looking into the weblogin MFA settings. Perhaps you could direct user to a weblogin page on CPPM and auto log them in with anonymous credentials and enable Duo MFA. This way your users will see a webpage telling them what they need to do with Duo and once they've passed Duo authentication you can assign a different role or whatever you want to do.

I don't think there's any direct access into the Duo API (like you mentioned) for this purpose that's been setup by anyone that I'm aware of. I'd be interested to hear about it if there was.

Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.

Re: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass


cappalli wrote:
You'd need to set up the DUO on-prem RADIUS server as a Token Server in ClearPass and use that as your authentication source.

Note: none of this has been tested.

That sounds interesting! Didn't know on-prem was an option.


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite

Re: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

You mentioned it in your previous post ☺

The DUO proxy is an on-prem component.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

Ahh that one. I was envisioning someone more robust. :)


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
New Contributor

Re: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

Did you get this sorted?

 

We have a forum as well for these type of questions: https://community.duo.com/

 

Cheers

 

EDIT:

 

You can integrate using the Duo Authentication Proxy if you like, documentation for that can be found here: https://duo.com/support/documentation/radius This is pretty quick but has an on prem component, and doesn't support a bunch of the features that the Duo Prompt provides. https://guide.duo.com/prompt

 

There is also a direct integration that makes use of the Authentication Prompt and has many more features, you can use this against your captive portal page to find Duo as an available MFA provider. Aruba has more complete documentation on this available. 

MVP

Re: Desperately need help: Integrating Duo MFA, Palo Alto VPN, and Clearpass

Many answers - no reply. Did you not get to keep your job? Or you fixed it and now leave us hanging her? ;)

 

Palo Alto has DUO Proxy as Authentication Source. The DUO Proxy has Clearpass as it's Radius. Setup is found here:

https://duo.com/docs/radius#radius

Don't think MSCHAPv2 vs CHAP should be a problem with that setup.

 

Now - over to the OnGuard part. Thats probably more tricky, but still doable. The clients needs access to https for the posture asessment to go through. Remember to use the exact same username during Radius authentication as with the Onguard WEBAUTH as that is required for VPN auth with posture to work.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: