Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

From zero to demo - Clearpass, DUO and 2FA

  • 1.  From zero to demo - Clearpass, DUO and 2FA

    Posted Oct 02, 2018 11:21 PM
      |   view attached

    Hello Airheads community

     

    This guide shows how to integrate Clearpass and Duo in order to support 2FA, the scenario demoed is to secure the access to AOS-CX switch by using TACACS+ protocol and Duo Push notification.

     

    Here is how the integration looks like:

    duo clearpass.png

    PDF file attached.

     

    Experience from end user:

    Duo push example.png

     

    Regards,

    Adolfo

     

    PD: Example of Customer feedback when 2FA is used:

    https://scholarblogs.emory.edu/lits/2017/03/10/duo-two-factor-authentication-a-major-increase-in-it-security/

    Attachment(s)

    pdf
    Clearpass - DUO.pdf   13.55 MB 1 version


  • 2.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jan 15, 2019 09:31 PM

    Hi Adolfo

     

    Thanks for the guide, may i know does this work for CLI as well? or only GUI access.

     

    Thanks and Regards,

     

    Leo



  • 3.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jan 16, 2019 08:14 AM

    Hi Leo, it works for CLI anf GUI



  • 4.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jan 16, 2019 08:37 AM

    Hi Adolfo

     

    Thanks for the confirmation.

     

    Thanks and Regards,

     

    Leo



  • 5.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 24, 2020 06:07 AM

    Dear Adolfo,

     

    Interesting Demo. Maybe I please ask what is the purpose of the CentOS Authentication proxy in this setup ? is it possible to integrate Clearpass with DUO directly ?



  • 6.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 24, 2020 11:13 AM

    Hi, it s a DUO product: https://duo.com/docs/authproxy-reference "The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform secondary authentication. Once the user approves the two-factor request (received as a push notification from Duo Mobile, or as a phone call, etc.), the Duo proxy returns access approval to the requesting device or application."



  • 7.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 28, 2020 02:00 AM

    Dear Adolfo,

     

    Thank you for your reply.

    In my case, I have clearpass already integrated with the Active Directory for primary TACACS Authentication/Authorization.

    I want to add a secondary authentication method using a solution like DUO. I am still exploring the options, but the way DUO works is sufficient for my needs.

     

    So Basically I only want  DUO to help with the secondary push notification authentication. Do I still need the proxy server ?
    Can't clearpass be integrated directly with DUO cloud ?



  • 8.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 24, 2020 01:50 PM

    What use case are you trying to solve? Let's start there.



  • 9.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Jun 28, 2020 02:03 AM

    Thanks Timms,
    Please refer to my reply to Adolfo's answer. I hope you guys can help.



  • 10.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Aug 13, 2020 04:24 PM

    Thanks Adolfo.

     

    So I'm clear, doing TACACS+ with DUO requires two separate CPPM services. One is the standard TACACS+ authentication which could stand on its own as a single factor auth. The second service is the DUO auth service which would get triggered after the first service. Is that correct?

     

    We currently use TACACs+ service in CPPM now for many devices. If I wanted to use TACACS+ with DUO for just a subset of these devices would I need to create a new TACACS+ service and pair that with the DUO service? Or is there a way to cull out a subset of devices within the current TACACS+ service to work with DUO?

     

    Thanks!

    Mike



  • 11.  RE: From zero to demo - Clearpass, DUO and 2FA

    Posted Aug 13, 2020 05:42 PM
    Since the trigger is an auth source, you'd need a duplicate service with additional service rules.