last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass with 802.1x and MFA

  • 1.  ClearPass with 802.1x and MFA

    Posted 18 days ago
    Hi all,

    Does ClearPass 6.9.x support MFA for 802.1x ?


    Luis Rodrigues

    Luis Rodrigues

  • 2.  RE: ClearPass with 802.1x and MFA

    Posted 18 days ago
    The question is not so much if ClearPass supports it, it is more if 802.1X supports MFA at an appropriate level.

    It also depends on what your definition of MFA is. From that point there are multiple approaches.

    One option is to deploy certificates in a smart card or TPM or even in your computer certificate store and have that certificate PIN/password protected, so you need to have the device containing the certificate and know the password or PIN. Then you can deploy EAP-TLS with that. One of the big issues in usability is that the end-user needs to enter the PIN in order to get to the network, and while waiting for that, there is no network connectivity and that is found to be a problem for end-user satisfaction and also for supporting/helpdesk.

    One other option is to deploy 802.1X as it is, without the second factor and then use either OnGuard or a captive portal to ask for a second factor authentication. Again here, unless using OnGuard as that can start automatically for the user, there is user interaction needed. But you can basically use any MFA solution together with a captive portal in ClearPass.

    This required user interaction makes that I see smart card authentication deployed sporadically when all users have smartcards and computers are deployed with readers, but further the balance to usability commonly wins over the wish to deploy MFA other than certifcates (EAP-TLS) in practice.

    May be others have different experience? Please post here.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check for how to contact Aruba TAC.

  • 3.  RE: ClearPass with 802.1x and MFA

    Posted 17 days ago
    There is little value in second factor at the network level.

    Use a strong authentication method to begin with (EAP-TLS) and ensure your applications use passwordless authentication.

    Tim C