04-18-2016 11:59 AM
We use Microsoft MFA for two-factor authentication (2FA). MFA can be used as a RADIUS server so I created a Service in my CPPM to use MFA as the authentication source. When I attempt to authenticate to a device now, I get the expected phone call from MFA and I enter my PIN as required for that system. MFA logs indicate I passed authentication but CPPM is showing a failed auth message. What am I missing? Are there specific vendor-specific attributes (VSAs) I need to configure for MFA to send back to CPPM?
Solved! Go to Solution.
04-19-2016 07:52 AM
You didn't say why the RADIUS auth was failing. Is it timing out waiting for the MFA to complete? The default timeout is only 10 seconds.
04-19-2016 08:07 AM
Access denied by policy
Alerts for this Request
RADIUS Applied 'Reject' profile
04-19-2016 08:26 AM
Also, I've verified with a packet capture on MFA server that a RADIUS Access-Accept(2) message is being returned to CPPM.
04-26-2016 06:30 AM
It turns out that I needed to use a separate Authorization source. Before this requirement I had never written a ClearPass RADIUS service that used separate Authentication and Authorization sources. In this case, Authentication points to MFA as a RADIUS service and Authorization points to Active Directory. Thanks to TAC for helping me with this one.