Hello Airheads community
This guide shows how to integrate Clearpass and Duo in order to support 2FA, the scenario demoed is to secure the access to AOS-CX switch by using TACACS+ protocol and Duo Push notification.
Here is how the integration looks like:
PDF file attached.
Experience from end user:
PD: Example of Customer feedback when 2FA is used:
Thanks for the guide, may i know does this work for CLI as well? or only GUI access.
Thanks and Regards,
Hi Leo, it works for CLI anf GUI
Thanks for the confirmation.
Interesting Demo. Maybe I please ask what is the purpose of the CentOS Authentication proxy in this setup ? is it possible to integrate Clearpass with DUO directly ?
Hi, it s a DUO product: https://duo.com/docs/authproxy-reference "The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform secondary authentication. Once the user approves the two-factor request (received as a push notification from Duo Mobile, or as a phone call, etc.), the Duo proxy returns access approval to the requesting device or application."
Thank you for your reply.In my case, I have clearpass already integrated with the Active Directory for primary TACACS Authentication/Authorization.
I want to add a secondary authentication method using a solution like DUO. I am still exploring the options, but the way DUO works is sufficient for my needs.
So Basically I only want DUO to help with the secondary push notification authentication. Do I still need the proxy server ?Can't clearpass be integrated directly with DUO cloud ?
What use case are you trying to solve? Let's start there.
Thanks Timms,Please refer to my reply to Adolfo's answer. I hope you guys can help.
So I'm clear, doing TACACS+ with DUO requires two separate CPPM services. One is the standard TACACS+ authentication which could stand on its own as a single factor auth. The second service is the DUO auth service which would get triggered after the first service. Is that correct?
We currently use TACACs+ service in CPPM now for many devices. If I wanted to use TACACS+ with DUO for just a subset of these devices would I need to create a new TACACS+ service and pair that with the DUO service? Or is there a way to cull out a subset of devices within the current TACACS+ service to work with DUO?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.