Security Training

All Aruba switches support TACACS, (which the Forti authenticator is also a tacacs server).

You'll need to configure the Aruba switch to point to the fortiauthenticator for tacacs.

tacacs-server host x.x.x.x
tacacs-server key <tacacs password>
aaa authentication ssh login tacacs

That's all that would be done on the Aruba Switch side, everything else needs to be done on the FortiAuthenticator. (I assume you are familiar with FortiAuthenticator, so below are general high level steps)

Edit your Remote AD user and assign MFA token
Add the Aruba Switch as a TACACS client
Create a TACACS policy, using AD as Identity source, and enforce two factor authentication.
Setup the appropriate TACACS response

Once that's done, when the switch sends a tacacs request, the FortiAuthenticator will verify AD credentials are correct, and will send the push for the FortiToken. If the user passes both, the FortiAuthenticator will return a accept to the switch and let the user login. (You may need to increase timeout on the switch because of the delay added by 2FA)

------------------------------
Christopher Wickline

Original Message:
Sent: Apr 29, 2021 01:03 AM
From: Anupam Gaur
Subject: Multifactor auth

Hello ,

We have a customer who has Aruba 2900 series and 16.x AOS version

They want to Integrate The wired switch with Fortinet  FortiAuthenticator which provides the token ( Same as RSA token)

Goal is to have MFA configured on Aruba Switch . The Fortiauthenticator is also acting as Radius Server .

Can someone give a confimation that Aruba Switch Support MFA ( AD User Password + Token) and provide the required commands to do it

------------------------------
AG
------------------------------

All Aruba switches support TACACS, (which the Forti authenticator is also a tacacs server).

You'll need to configure the Aruba switch to point to the fortiauthenticator for tacacs.

tacacs-server host x.x.x.x
tacacs-server key <tacacs password>
aaa authentication ssh login tacacs

That's all that would be done on the Aruba Switch side, everything else needs to be done on the FortiAuthenticator. (I assume you are familiar with FortiAuthenticator, so below are general high level steps)

Edit your Remote AD user and assign MFA token
Add the Aruba Switch as a TACACS client
Create a TACACS policy, using AD as Identity source, and enforce two factor authentication.
Setup the appropriate TACACS response

Once that's done, when the switch sends a tacacs request, the FortiAuthenticator will verify AD credentials are correct, and will send the push for the FortiToken. If the user passes both, the FortiAuthenticator will return a accept to the switch and let the user login. (You may need to increase timeout on the switch because of the delay added by 2FA)

------------------------------
Christopher Wickline

Original Message:
Sent: Apr 29, 2021 01:03 AM
From: Anupam Gaur
Subject: Multifactor auth

Hello ,

We have a customer who has Aruba 2900 series and 16.x AOS version

They want to Integrate The wired switch with Fortinet  FortiAuthenticator which provides the token ( Same as RSA token)

Goal is to have MFA configured on Aruba Switch . The Fortiauthenticator is also acting as Radius Server .

Can someone give a confimation that Aruba Switch Support MFA ( AD User Password + Token) and provide the required commands to do it

------------------------------
AG
------------------------------