Security

Hello everyone,

I've searched over the internet and also in this forum, but I haven't found nothing similar to my scenario...

We are using MS Authenticator as second Factor, now we want to secure admin access to CPPM with cred+pass and OTP,

Recently we have had a MFA service on prem solution - we've used there Token Server as Authentication Source and everything was OK.

This won't work with MS Auth, and if so, we don't want to use it to provide only OTP for authentication (recent solution used private PIN which was combined with OTP).

We are using some 3rd party appliances which do allow MFA with MS Authenticator but with a help of NPS which is connected to Entra.

As long as I'm getting it right, ClearPass logons are listed as Auth-Type TACACS+, which NPS doesn't use. Moreover RADIUS Proxies are only

allowed on Service Auth-Type RADIUS.
Does anyone has such a setup and could provide me some hints on getting this done? 

Thanks in advance and best Regards!

What probably works best is to integrate through SAML SSO to your Identity/Authentication platform and configure the MFA there similar to other applications that you may have. That avoids a point solution for ClearPass:

Policy Manager is the ClearPass login....

Hello everyone,

I've searched over the internet and also in this forum, but I haven't found nothing similar to my scenario...

We are using MS Authenticator as second Factor, now we want to secure admin access to CPPM with cred+pass and OTP,

Recently we have had a MFA service on prem solution - we've used there Token Server as Authentication Source and everything was OK.

This won't work with MS Auth, and if so, we don't want to use it to provide only OTP for authentication (recent solution used private PIN which was combined with OTP).

We are using some 3rd party appliances which do allow MFA with MS Authenticator but with a help of NPS which is connected to Entra.

As long as I'm getting it right, ClearPass logons are listed as Auth-Type TACACS+, which NPS doesn't use. Moreover RADIUS Proxies are only

allowed on Service Auth-Type RADIUS.
Does anyone has such a setup and could provide me some hints on getting this done? 

Thanks in advance and best Regards!

What probably works best is to integrate through SAML SSO to your Identity/Authentication platform and configure the MFA there similar to other applications that you may have. That avoids a point solution for ClearPass:

Policy Manager is the ClearPass login....

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 10:14 AM
From: gst
Subject: CPPM Secure Admin-Logon with MFA

Hello everyone,

I've searched over the internet and also in this forum, but I haven't found nothing similar to my scenario...

We are using MS Authenticator as second Factor, now we want to secure admin access to CPPM with cred+pass and OTP,

Recently we have had a MFA service on prem solution - we've used there Token Server as Authentication Source and everything was OK.

This won't work with MS Auth, and if so, we don't want to use it to provide only OTP for authentication (recent solution used private PIN which was combined with OTP).

We are using some 3rd party appliances which do allow MFA with MS Authenticator but with a help of NPS which is connected to Entra.

As long as I'm getting it right, ClearPass logons are listed as Auth-Type TACACS+, which NPS doesn't use. Moreover RADIUS Proxies are only

allowed on Service Auth-Type RADIUS.
Does anyone has such a setup and could provide me some hints on getting this done? 

Thanks in advance and best Regards!

------------------------------
gst
------------------------------

Hello Herman,

After crashing my ClearPass on first try (SSO was not disabled properly after test and was applied to Policy Manager, recovery via SSH and "system sso-reset"...) I've finally managed to run SSO for Guest and Insight. This was really straightforward! With the SSO Service Template I got a simple Enforcement Profile with SSO-Role = Super Administrator. I would like to tweak SSO Service / Profile so that I can give different privileges to Admin, Support and Compliance similar to Active Directory authorization via group membership. Can I use AD or Entra for that? 

Best Regards,

------------------------------
gst

Original Message:
Sent: Jun 16, 2025 09:18 AM
From: Herman Robers
Subject: CPPM Secure Admin-Logon with MFA

What probably works best is to integrate through SAML SSO to your Identity/Authentication platform and configure the MFA there similar to other applications that you may have. That avoids a point solution for ClearPass:

Policy Manager is the ClearPass login....

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 10:14 AM
From: gst
Subject: CPPM Secure Admin-Logon with MFA

Hello everyone,

I've searched over the internet and also in this forum, but I haven't found nothing similar to my scenario...

We are using MS Authenticator as second Factor, now we want to secure admin access to CPPM with cred+pass and OTP,

Recently we have had a MFA service on prem solution - we've used there Token Server as Authentication Source and everything was OK.

This won't work with MS Auth, and if so, we don't want to use it to provide only OTP for authentication (recent solution used private PIN which was combined with OTP).

We are using some 3rd party appliances which do allow MFA with MS Authenticator but with a help of NPS which is connected to Entra.

As long as I'm getting it right, ClearPass logons are listed as Auth-Type TACACS+, which NPS doesn't use. Moreover RADIUS Proxies are only

allowed on Service Auth-Type RADIUS.
Does anyone has such a setup and could provide me some hints on getting this done? 

Thanks in advance and best Regards!

------------------------------
gst
------------------------------

Using AD or Entra for authorization is certainly possible. Just add Entra or AD as AuthZ source to the service and built the Role Mapping to assign the required permissions. The SAML username will be used to do the lookup in AD or Entra. Other option is use the SAML claims to assign the right level.

------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125

Original Message:
Sent: Jun 26, 2025 06:17 AM
From: gst
Subject: CPPM Secure Admin-Logon with MFA

Hello Herman,

After crashing my ClearPass on first try (SSO was not disabled properly after test and was applied to Policy Manager, recovery via SSH and "system sso-reset"...) I've finally managed to run SSO for Guest and Insight. This was really straightforward! With the SSO Service Template I got a simple Enforcement Profile with SSO-Role = Super Administrator. I would like to tweak SSO Service / Profile so that I can give different privileges to Admin, Support and Compliance similar to Active Directory authorization via group membership. Can I use AD or Entra for that? 

Best Regards,

------------------------------
gst

Original Message:
Sent: Jun 16, 2025 09:18 AM
From: Herman Robers
Subject: CPPM Secure Admin-Logon with MFA

What probably works best is to integrate through SAML SSO to your Identity/Authentication platform and configure the MFA there similar to other applications that you may have. That avoids a point solution for ClearPass:

Policy Manager is the ClearPass login....

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 10:14 AM
From: gst
Subject: CPPM Secure Admin-Logon with MFA

Hello everyone,

I've searched over the internet and also in this forum, but I haven't found nothing similar to my scenario...

We are using MS Authenticator as second Factor, now we want to secure admin access to CPPM with cred+pass and OTP,

Recently we have had a MFA service on prem solution - we've used there Token Server as Authentication Source and everything was OK.

This won't work with MS Auth, and if so, we don't want to use it to provide only OTP for authentication (recent solution used private PIN which was combined with OTP).

We are using some 3rd party appliances which do allow MFA with MS Authenticator but with a help of NPS which is connected to Entra.

As long as I'm getting it right, ClearPass logons are listed as Auth-Type TACACS+, which NPS doesn't use. Moreover RADIUS Proxies are only

allowed on Service Auth-Type RADIUS.
Does anyone has such a setup and could provide me some hints on getting this done? 

Thanks in advance and best Regards!

------------------------------
gst
------------------------------

Hello Willem, hello Herman,

I think we might get into some trouble using AD because we use UPN in Entra and Usernames in AD. I think I give it a try with Entra claims. 
Now I got another issue with HTTPS certificate... In SSO configuration ClearPass persists to use FQDN combined with our internal domain, this parameter isn't editable from SSO config page. 
For guest registration purpouse I've set a HTTPS certificate from public CA. Now when I logon on ClearPass I get a certificate warning because I've no certificate for internal FQDN - how to solve this issue?

Best Regards,

------------------------------
gst

Original Message:
Sent: Jun 26, 2025 07:44 AM
From: willembargeman
Subject: CPPM Secure Admin-Logon with MFA

Using AD or Entra for authorization is certainly possible. Just add Entra or AD as AuthZ source to the service and built the Role Mapping to assign the required permissions. The SAML username will be used to do the lookup in AD or Entra. Other option is use the SAML claims to assign the right level.

------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125

Original Message:
Sent: Jun 26, 2025 06:17 AM
From: gst
Subject: CPPM Secure Admin-Logon with MFA

Hello Herman,

After crashing my ClearPass on first try (SSO was not disabled properly after test and was applied to Policy Manager, recovery via SSH and "system sso-reset"...) I've finally managed to run SSO for Guest and Insight. This was really straightforward! With the SSO Service Template I got a simple Enforcement Profile with SSO-Role = Super Administrator. I would like to tweak SSO Service / Profile so that I can give different privileges to Admin, Support and Compliance similar to Active Directory authorization via group membership. Can I use AD or Entra for that? 

Best Regards,

------------------------------
gst

Original Message:
Sent: Jun 16, 2025 09:18 AM
From: Herman Robers
Subject: CPPM Secure Admin-Logon with MFA

What probably works best is to integrate through SAML SSO to your Identity/Authentication platform and configure the MFA there similar to other applications that you may have. That avoids a point solution for ClearPass:

Policy Manager is the ClearPass login....

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 13, 2025 10:14 AM
From: gst
Subject: CPPM Secure Admin-Logon with MFA

Hello everyone,

I've searched over the internet and also in this forum, but I haven't found nothing similar to my scenario...

We are using MS Authenticator as second Factor, now we want to secure admin access to CPPM with cred+pass and OTP,

Recently we have had a MFA service on prem solution - we've used there Token Server as Authentication Source and everything was OK.

This won't work with MS Auth, and if so, we don't want to use it to provide only OTP for authentication (recent solution used private PIN which was combined with OTP).

We are using some 3rd party appliances which do allow MFA with MS Authenticator but with a help of NPS which is connected to Entra.

As long as I'm getting it right, ClearPass logons are listed as Auth-Type TACACS+, which NPS doesn't use. Moreover RADIUS Proxies are only

allowed on Service Auth-Type RADIUS.
Does anyone has such a setup and could provide me some hints on getting this done? 

Thanks in advance and best Regards!

------------------------------
gst
------------------------------