Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass 802.1X Auth with MFA (Entrust)

This thread has been viewed 18 times
  • 1.  ClearPass 802.1X Auth with MFA (Entrust)

    Posted Jan 10, 2022 01:16 PM
    Hi everyone,

    I'm trying to implement a MFA Auth (with Entrust) using 802.1X in ClearPass. I've seen that it's only have been natively implemented with DUO and GoVerifID. 

    Any recommendations about how to perform this integration with Entrust? I've found zero documentation about it.
    Is it recommended (for the UX for example) to perform MFA with 802.1X?

    Any help or advice would be appreciated!
    Thanks in advance!
    A.


    ------------------------------
    Alberto Miras Gil
    ------------------------------


  • 2.  RE: ClearPass 802.1X Auth with MFA (Entrust)

    Posted Jan 10, 2022 03:58 PM

    My understanding is that 802.1X for WLAN and MFA don't really get along due to the network often needing to re-authenticate. If someone has a working methodology I'd love to see it too :)

    The typical enterprise authentication benchmark for WLAN 802.1X is EAP-TLS using mutual certificate authentication. From there you can use posture to validate devices are in good standing.

    If you'd like to do MFA the best approach would probably to do EAP-TLS or other secure authentication and then redirect the user to a Web Authentication to perform a second auth using a token or other MFA.



    ------------------------------
    eliasz zurawka
    ------------------------------



  • 3.  RE: ClearPass 802.1X Auth with MFA (Entrust)

    EMPLOYEE
    Posted Jan 10, 2022 06:46 PM
    As mentioned by Eliasz, one way is to redirect users to a captive portal page after 802.1x and then performing 2FA auth. Doing this for every auth would result in poor UX. I have seen this implemented in a way where 2FA is required after every X-hours.

    ------------------------------
    Mathew George
    ------------------------------



  • 4.  RE: ClearPass 802.1X Auth with MFA (Entrust)

    EMPLOYEE
    Posted Jan 11, 2022 03:14 AM
    If you can't do MDM to deploy your certificates, you could consider Onboard with MFA authorization. If you check the Onboard and Cloud Identity providers document available at arubanetworks.com/clearpassdocs, you may be able to make the same work with Entrust assuming they support SAML2 or OAuth.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: ClearPass 802.1X Auth with MFA (Entrust)

    Posted Jan 11, 2022 03:23 AM
    Thanks guys!

    The customer I'm working with does not have EAP-TLS implemented nor Onboard. So I was trying to figure it out if there was an option to perform this MFA integration with Entrust.

    As per your comment, the idea would be to implement the 802.1x auth with a captive portal redirection where the user must introduce the 2FA token only every X-hours. I'll try that option.

    Thanks!
    A.

    ------------------------------
    Alberto Miras Gil
    ------------------------------