Security

 View Only
last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

From zero to demo - Clearpass, DUO and 2FA

This thread has been viewed 173 times

  • 1.  From zero to demo - Clearpass, DUO and 2FA

    EMPLOYEE
    Posted Oct 02, 2018 11:21 PM
      |   view attached

    Hello Airheads community

     

    This guide shows how to integrate Clearpass and Duo in order to support 2FA, the scenario demoed is to secure the access to AOS-CX switch by using TACACS+ protocol and Duo Push notification.

     

    Here is how the integration looks like:

    duo clearpass.png

    PDF file attached.

     

    Experience from end user:

    Duo push example.png

     

    Regards,

    Adolfo

     

    PD: Example of Customer feedback when 2FA is used:

    https://scholarblogs.emory.edu/lits/2017/03/10/duo-two-factor-authentication-a-major-increase-in-it-security/

    Attachment(s)

    pdf
    Clearpass - DUO.pdf   13.55 MB 1 version


  • 2.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jan 15, 2019 09:31 PM

    Hi Adolfo

     

    Thanks for the guide, may i know does this work for CLI as well? or only GUI access.

     

    Thanks and Regards,

     

    Leo



  • 3.  RE: From zero to demo - Clearpass, DUO and 2FA

    EMPLOYEE
    Posted Jan 16, 2019 08:14 AM

    Hi Leo, it works for CLI anf GUI



  • 4.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jan 16, 2019 08:37 AM

    Hi Adolfo

     

    Thanks for the confirmation.

     

    Thanks and Regards,

     

    Leo



  • 5.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 24, 2020 06:07 AM

    Dear Adolfo,

     

    Interesting Demo. Maybe I please ask what is the purpose of the CentOS Authentication proxy in this setup ? is it possible to integrate Clearpass with DUO directly ?



  • 6.  RE: From zero to demo - Clearpass, DUO and 2FA

    EMPLOYEE
    Posted Jun 24, 2020 11:13 AM

    Hi, it s a DUO product: https://duo.com/docs/authproxy-reference "The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform secondary authentication. Once the user approves the two-factor request (received as a push notification from Duo Mobile, or as a phone call, etc.), the Duo proxy returns access approval to the requesting device or application."



  • 7.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 28, 2020 02:00 AM

    Dear Adolfo,

     

    Thank you for your reply.

    In my case, I have clearpass already integrated with the Active Directory for primary TACACS Authentication/Authorization.

    I want to add a secondary authentication method using a solution like DUO. I am still exploring the options, but the way DUO works is sufficient for my needs.

     

    So Basically I only want  DUO to help with the secondary push notification authentication. Do I still need the proxy server ?
    Can't clearpass be integrated directly with DUO cloud ?



  • 8.  RE: From zero to demo - Clearpass, DUO and 2FA

    MVP EXPERT
    Posted Jun 24, 2020 01:50 PM

    What use case are you trying to solve? Let's start there.



  • 9.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 28, 2020 02:03 AM

    Thanks Timms,
    Please refer to my reply to Adolfo's answer. I hope you guys can help.



  • 10.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Aug 13, 2020 04:24 PM

    Thanks Adolfo.

     

    So I'm clear, doing TACACS+ with DUO requires two separate CPPM services. One is the standard TACACS+ authentication which could stand on its own as a single factor auth. The second service is the DUO auth service which would get triggered after the first service. Is that correct?

     

    We currently use TACACs+ service in CPPM now for many devices. If I wanted to use TACACS+ with DUO for just a subset of these devices would I need to create a new TACACS+ service and pair that with the DUO service? Or is there a way to cull out a subset of devices within the current TACACS+ service to work with DUO?

     

    Thanks!

    Mike



  • 11.  RE: From zero to demo - Clearpass, DUO and 2FA

    MVP EXPERT
    Posted Aug 13, 2020 05:42 PM
    Since the trigger is an auth source, you'd need a duplicate service with additional service rules.


  • 12.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Mar 31, 2021 05:41 PM
    Thank you for the awesome guide. One thing I am not understanding is why you need a RADIUS service added after you point the TACACS service to the token server? Doesn't the DUO proxy server handle the RADIUS authentication?

    ------------------------------
    Devin Burns
    ------------------------------

    Original Message


  • 13.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Mar 15, 2022 10:36 AM
    Hi,

    I have this running thanks to this guide and have been able to apply it across all my networking gear, multiple vendors, successfully.
    One issue I do see is that sometimes a user will get a double prompt from DUO for authentication, so two push notifications.
    I am wondering if anybody else see this behavior?

    Cheers,

    Will

    ------------------------------
    William McDermott
    ------------------------------

    Original Message


  • 14.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Oct 12, 2022 04:24 PM
    William, I was curious if you could share what your service(s) look like to get this going.  Did you use one service for both tacacs and DUO? Or did you have to create two separate services?
    Original Message