The question is not so much if ClearPass supports it, it is more if 802.1X supports MFA at an appropriate level.
It also depends on what your definition of MFA is. From that point there are multiple approaches.
One option is to deploy certificates in a smart card or TPM or even in your computer certificate store and have that certificate PIN/password protected, so you need to have the device containing the certificate and know the password or PIN. Then you can deploy EAP-TLS with that. One of the big issues in usability is that the end-user needs to enter the PIN in order to get to the network, and while waiting for that, there is no network connectivity and that is found to be a problem for end-user satisfaction and also for supporting/helpdesk.
One other option is to deploy 802.1X as it is, without the second factor and then use either OnGuard or a captive portal to ask for a second factor authentication. Again here, unless using OnGuard as that can start automatically for the user, there is user interaction needed. But you can basically use any MFA solution together with a captive portal in ClearPass.
This required user interaction makes that I see smart card authentication deployed sporadically when all users have smartcards and computers are deployed with readers, but further the balance to usability commonly wins over the wish to deploy MFA other than certifcates (EAP-TLS) in practice.
May be others have different experience? Please post here.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------
Original Message:
Sent: Nov 09, 2020 10:18 PM
From: Luis Rodrigues
Subject: ClearPass with 802.1x and MFA
Hi all,
Does ClearPass 6.9.x support MFA for 802.1x ?
Thanks.
Luis Rodrigues
------------------------------
Luis Rodrigues
------------------------------