Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM

This thread has been viewed 2 times

  • 1.  Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM

    Posted Feb 16, 2014 07:36 AM

    Aruba Community,

     

    Hope all is well.

     

    I would like to request assistance if its possible to integrate RSA Token for 2-factor authentication in Aruba Controller/Airwave/CPPM.  We are hardening our environment and my Manager wanted me to explore this option. 


    Appreciate any input to get this started.  Also,  if anyone implemented this in their environment that would be great. 

     

     

     

    Sincerely,

     

    Dante



  • 2.  RE: Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM
    Best Answer

    EMPLOYEE
    Posted Feb 16, 2014 08:39 AM

    I will let others chime in about their specific experience with deployments:

     

    Authentication with RSA secure-ID is possible with the controller, or with the additional policy infrastructure of Clearpass Policy manager.  Both methods require that your wireless endpoints have a supplicant installed that supports EAP-GTC.  EAP-GTC is necessary due to the method that RSA uses for authentication.  The built-in Windows supplicant does not support EAP-GTC.  Juniper Odyssey is probably the most popular and flexible client-side supplicant. The advantage of using ClearPass instead of the controller allows you to make additional policy decisions based on attributes returned from AD based on the username that the user logs into RSA with.

     

    Important supported aspects of of ClearPass or controller deployment is something called "Token Caching", where the user does not have to key in his/her pincode every time the laptop roams.

     

    For logging into the management interfaces of Airwave, the controller, and ClearPass, RSA Token Authentication is supported without loading a supplicant on your endpoint devices.  This is done authenticating directly to RSA using radius.



  • 3.  RE: Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM

    Posted Feb 17, 2014 01:20 AM

    Hi Cjoseph,

     

    Do you have a walkthrough/documentation on how to setup the logging to the management interfaces of the aruba controller, airwave, and CPPM using RSA?

     


    Thanks alot!

     

    Oliver



  • 4.  RE: Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM

    Posted Feb 18, 2014 08:25 AM
    I would be very interested in this as well. Customer of ours was audited and this is now on the agenda.


  • 5.  RE: Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM

    EMPLOYEE
    Posted Feb 18, 2014 08:29 AM
    @oliverm wrote:

    Hi Cjoseph,

     

    Do you have a walkthrough/documentation on how to setup the logging to the management interfaces of the aruba controller, airwave, and CPPM using RSA?

     


    Thanks alot!

     

    Oliver

    Oliverm,

     

    The audit trail log in the controller should say who logs in and logs out of the management interface.  Is that what you are talking about?

     



  • 6.  RE: Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM

    Posted Feb 18, 2014 08:38 AM
    I believe he is referring to using RSA to log into the management interfaces of said devices.


  • 7.  RE: Possibility of rsa secure-id for two-factor authentication in Aruba Controller/Airwave/CPPM

    EMPLOYEE
    Posted Feb 18, 2014 08:40 AM

    I do not have the documentation, but the RSA server is a radius server, as well, and the controller can authenticate to that.  He probably should contact RSA for authentication as well as authorization configuration steps....  I'm sorry:(...