Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Integrate Okta with Clearpass for RADIUS and TACACS MFA

This thread has been viewed 49 times

  • 1.  Integrate Okta with Clearpass for RADIUS and TACACS MFA

    Posted Dec 10, 2021 10:20 AM

    Hi

    I am trying to integrate Okta Token Server with the CPPM for the RADIUS and TACACS requests for MFA. It is giving me some issues as the MFA works randomly for the login requests. The user will receive the push from Okta no matter what. But the CPPM logs say Error Code: "Internal error in performing authentication".

    The alerts section say "Connection closed by remote end". I tried to look at the switch logs and it is marking the user account as invalid. I tried another switch and it is not even able to identify the user account and say its an unknown user.

    Could anyone guide me here. Also if there is a guide on how to integrate okta with clearpass, can I get that if anyone knows about it.

    Thanks 



    ------------------------------
    Saiyam Mehra
    ------------------------------


  • 2.  RE: Integrate Okta with Clearpass for RADIUS and TACACS MFA

    MVP EXPERT
    Posted Dec 11, 2021 04:20 AM
    Certainly had it working with Duo for logging into a switch on  ArubaOS and ComWare switches. Is that what what you want to do?

    Didn't work so well for RSA topkens biut dodnt inverstigate that too far

    A

    ------------------------------
    Alex Sharaz
    ------------------------------

    Original Message


  • 3.  RE: Integrate Okta with Clearpass for RADIUS and TACACS MFA

    Posted Dec 14, 2021 08:11 AM
    I am trying to do something similar but instead of using Duo, I am trying to use Okta MFA with Aruba OS switches.

    ------------------------------
    Saiyam Mehra
    ------------------------------

    Original Message


  • 4.  RE: Integrate Okta with Clearpass for RADIUS and TACACS MFA

    EMPLOYEE
    Posted Dec 17, 2021 08:46 AM
    Please try to work with Aruba Support, they may have a workaround. I did find somewhere internal that for Okta in this admin login, the switch needs to support challenge-response for RADIUS and Admin access. It may be that the Aruba OS switches don't support that, but that's also something that TAC can verify.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: Integrate Okta with Clearpass for RADIUS and TACACS MFA

    Posted Dec 29, 2021 11:00 AM
    It worked now. Did a wireshark with TAC and found that the for the first request of the auth, clearpass okta exchange was slow which made the switch to timeout the session and then reset the session. But when we attempt the second time it works as clearpass okta exchange wasnt slow. So we ended up in increasing the RADIUS-server timeout setting on the switch and it is now working fine.

    ------------------------------
    Saiyam Mehra
    ------------------------------

    Original Message