Security

Hello!

Today we have an MFA authentication source that is working as expected for all of our administrative access. However, we are studying a way to not ask for the MFA in some situations, like heavy users that access a lot of equipments during all day.

We thought about something like "If there was an approvalm from this same user + source IP in the last 1 hour, don't prompt the token authentication"

I can think in the logical of the thing, but cannot find where could I find the data itself to apply actions. Any ideas?

Thanks in advance.

Luiz

------------------------------
Everson Santos Junior
------------------------------

I would think that this should be possible with a custom query to the Insight database. Your Aruba partner or Aruba support may be supportive in this.

Sometimes you can do this as well in the MFA solution itself, as that is the place where you see all actions from a user and decide on the required authentication steps.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 22, 2021 12:17 PM
From: Everson Santos Junior
Subject: ClearPass last login data

Hello!

Today we have an MFA authentication source that is working as expected for all of our administrative access. However, we are studying a way to not ask for the MFA in some situations, like heavy users that access a lot of equipments during all day.

We thought about something like "If there was an approvalm from this same user + source IP in the last 1 hour, don't prompt the token authentication"

I can think in the logical of the thing, but cannot find where could I find the data itself to apply actions. Any ideas?

Thanks in advance.

Luiz

------------------------------
Everson Santos Junior
------------------------------

Hi Herman!

I looked and Duo doesn't have "Remember me" to RADIUS standard applications. What I thouth was if there is a way to capture from ClearPass the last time the user (and maybe some other RADIUS attributes) got a positive hit on the ClearPass service that has the Duo factor activated.

If I could get that wouldn't it be possible to do something like "if the time difference between now and last time the user got positive hit is less than an hour, give a RADIUS Access-Accept."

Thanks in advance.
Original Message:
Sent: Nov 23, 2021 05:10 AM
From: Herman Robers
Subject: ClearPass last login data

I would think that this should be possible with a custom query to the Insight database. Your Aruba partner or Aruba support may be supportive in this.

Sometimes you can do this as well in the MFA solution itself, as that is the place where you see all actions from a user and decide on the required authentication steps.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 22, 2021 12:17 PM
From: Everson Santos Junior
Subject: ClearPass last login data

Hello!

Today we have an MFA authentication source that is working as expected for all of our administrative access. However, we are studying a way to not ask for the MFA in some situations, like heavy users that access a lot of equipments during all day.

We thought about something like "If there was an approvalm from this same user + source IP in the last 1 hour, don't prompt the token authentication"

I can think in the logical of the thing, but cannot find where could I find the data itself to apply actions. Any ideas?

Thanks in advance.

Luiz

------------------------------
Everson Santos Junior
------------------------------

That information can probably be pulled from Insight, what might complicate is that the authentication sources are tied to the service, and I don't think it's easy to filter your services based on Insight queries.

I don't have a canned answer, it may be possible, but best to work through your Partner/TAC/Local Aruba SE to get this type of functionality validated.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 23, 2021 06:49 AM
From: Everson Santos Junior
Subject: ClearPass last login data

Hi Herman!

I looked and Duo doesn't have "Remember me" to RADIUS standard applications. What I thouth was if there is a way to capture from ClearPass the last time the user (and maybe some other RADIUS attributes) got a positive hit on the ClearPass service that has the Duo factor activated.

If I could get that wouldn't it be possible to do something like "if the time difference between now and last time the user got positive hit is less than an hour, give a RADIUS Access-Accept."

Thanks in advance.
Original Message:
Sent: Nov 23, 2021 05:10 AM
From: Herman Robers
Subject: ClearPass last login data

I would think that this should be possible with a custom query to the Insight database. Your Aruba partner or Aruba support may be supportive in this.

Sometimes you can do this as well in the MFA solution itself, as that is the place where you see all actions from a user and decide on the required authentication steps.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 22, 2021 12:17 PM
From: Everson Santos Junior
Subject: ClearPass last login data

Hello!

Today we have an MFA authentication source that is working as expected for all of our administrative access. However, we are studying a way to not ask for the MFA in some situations, like heavy users that access a lot of equipments during all day.

We thought about something like "If there was an approvalm from this same user + source IP in the last 1 hour, don't prompt the token authentication"

I can think in the logical of the thing, but cannot find where could I find the data itself to apply actions. Any ideas?

Thanks in advance.

Luiz

------------------------------
Everson Santos Junior
------------------------------