Security

Hi everyone,

I'm trying to implement a MFA Auth (with Entrust) using 802.1X in ClearPass. I've seen that it's only have been natively implemented with DUO and GoVerifID. 

Any recommendations about how to perform this integration with Entrust? I've found zero documentation about it.
Is it recommended (for the UX for example) to perform MFA with 802.1X?

Any help or advice would be appreciated!
Thanks in advance!
A.

------------------------------
Alberto Miras Gil
------------------------------

My understanding is that 802.1X for WLAN and MFA don't really get along due to the network often needing to re-authenticate. If someone has a working methodology I'd love to see it too :)

The typical enterprise authentication benchmark for WLAN 802.1X is EAP-TLS using mutual certificate authentication. From there you can use posture to validate devices are in good standing.

If you'd like to do MFA the best approach would probably to do EAP-TLS or other secure authentication and then redirect the user to a Web Authentication to perform a second auth using a token or other MFA.

------------------------------
eliasz zurawka
------------------------------

Original Message:
Sent: Jan 10, 2022 04:55 AM
From: Alberto Miras Gil
Subject: ClearPass 802.1X Auth with MFA (Entrust)

Hi everyone,

I'm trying to implement a MFA Auth (with Entrust) using 802.1X in ClearPass. I've seen that it's only have been natively implemented with DUO and GoVerifID. 

Any recommendations about how to perform this integration with Entrust? I've found zero documentation about it.
Is it recommended (for the UX for example) to perform MFA with 802.1X?

Any help or advice would be appreciated!
Thanks in advance!
A.

------------------------------
Alberto Miras Gil
------------------------------

As mentioned by Eliasz, one way is to redirect users to a captive portal page after 802.1x and then performing 2FA auth. Doing this for every auth would result in poor UX. I have seen this implemented in a way where 2FA is required after every X-hours.

------------------------------
Mathew George
------------------------------

Original Message:
Sent: Jan 10, 2022 04:55 AM
From: Alberto Miras Gil
Subject: ClearPass 802.1X Auth with MFA (Entrust)

Hi everyone,

I'm trying to implement a MFA Auth (with Entrust) using 802.1X in ClearPass. I've seen that it's only have been natively implemented with DUO and GoVerifID. 

Any recommendations about how to perform this integration with Entrust? I've found zero documentation about it.
Is it recommended (for the UX for example) to perform MFA with 802.1X?

Any help or advice would be appreciated!
Thanks in advance!
A.

------------------------------
Alberto Miras Gil
------------------------------

If you can't do MDM to deploy your certificates, you could consider Onboard with MFA authorization. If you check the Onboard and Cloud Identity providers document available at arubanetworks.com/clearpassdocs, you may be able to make the same work with Entrust assuming they support SAML2 or OAuth.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 10, 2022 06:45 PM
From: Mathew George
Subject: ClearPass 802.1X Auth with MFA (Entrust)

As mentioned by Eliasz, one way is to redirect users to a captive portal page after 802.1x and then performing 2FA auth. Doing this for every auth would result in poor UX. I have seen this implemented in a way where 2FA is required after every X-hours.

------------------------------
Mathew George

Original Message:
Sent: Jan 10, 2022 04:55 AM
From: Alberto Miras Gil
Subject: ClearPass 802.1X Auth with MFA (Entrust)

Hi everyone,

I'm trying to implement a MFA Auth (with Entrust) using 802.1X in ClearPass. I've seen that it's only have been natively implemented with DUO and GoVerifID. 

Any recommendations about how to perform this integration with Entrust? I've found zero documentation about it.
Is it recommended (for the UX for example) to perform MFA with 802.1X?

Any help or advice would be appreciated!
Thanks in advance!
A.

------------------------------
Alberto Miras Gil
------------------------------

Thanks guys!

The customer I'm working with does not have EAP-TLS implemented nor Onboard. So I was trying to figure it out if there was an option to perform this MFA integration with Entrust.

As per your comment, the idea would be to implement the 802.1x auth with a captive portal redirection where the user must introduce the 2FA token only every X-hours. I'll try that option.

Thanks!
A.

------------------------------
Alberto Miras Gil
------------------------------

Original Message:
Sent: Jan 11, 2022 03:14 AM
From: Herman Robers
Subject: ClearPass 802.1X Auth with MFA (Entrust)

If you can't do MDM to deploy your certificates, you could consider Onboard with MFA authorization. If you check the Onboard and Cloud Identity providers document available at arubanetworks.com/clearpassdocs, you may be able to make the same work with Entrust assuming they support SAML2 or OAuth.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 10, 2022 06:45 PM
From: Mathew George
Subject: ClearPass 802.1X Auth with MFA (Entrust)

As mentioned by Eliasz, one way is to redirect users to a captive portal page after 802.1x and then performing 2FA auth. Doing this for every auth would result in poor UX. I have seen this implemented in a way where 2FA is required after every X-hours.

------------------------------
Mathew George

Original Message:
Sent: Jan 10, 2022 04:55 AM
From: Alberto Miras Gil
Subject: ClearPass 802.1X Auth with MFA (Entrust)

Hi everyone,

I'm trying to implement a MFA Auth (with Entrust) using 802.1X in ClearPass. I've seen that it's only have been natively implemented with DUO and GoVerifID. 

Any recommendations about how to perform this integration with Entrust? I've found zero documentation about it.
Is it recommended (for the UX for example) to perform MFA with 802.1X?

Any help or advice would be appreciated!
Thanks in advance!
A.

------------------------------
Alberto Miras Gil
------------------------------