To add to that, using a certificate (something you have) with a PIN (something you know) is also multi-factor authentication. If you make sure the certificate is in a TPM or smartcard, which has PIN protection, that may work. Note that the user experience will be degraded as users need to type their PIN when connecting to the network.
Onboarding of a device where you go through a MFA during the onboarding, then deploy a client certificate based on that MFA to use for standard 802.1X may also be acceptable. But in general, people (and computers/computer systems) are used to be connected before things like MFA come into play. Further ZTNA as an overlay on top of a connection that just is up, is worth to be considered.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 01, 2025 11:33 AM
From: willembargeman
Subject: Looking to Implement MFA authentication on a SSID - Need assistance
802.1x authentication is not built for this type of workflow. Maybe this can work with ClearPass but the user experience will not be optimal. In general MFA on SSID's is not recommended.
I would strongly advise you to use certificate based authentication instead of password. EAP-PEAP is broken for years already!! Certificate based authN is much more secure and future proof than username/password authentication.
In addition to the authentication flow (based on certificates), you can think about integration with MDM tools like Intune for additional authorization attributes.
If you really looking for MFA, I would think about using a captive portal.
Why not implement MFA on the application access layer? Think about ZTNA with MFA when accessing an application. That is the way to go.
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Feb 28, 2025 12:37 PM
From: vascarf
Subject: Looking to Implement MFA authentication on a SSID - Need assistance
Hi
My boss had tasked me to look into our options on how to get MFA (PingID) to work with authenticating on a SSID.
Right now, we only have a single Guest-SSID, which is used by everyone in the company : employees, guests, contractors.
We are now looking into creating a separate Employee-SSID, which will only be used by employees. What we're initially considering is using RADIUS(NPS) to authenticate users with AD, then MFA using PingID, which will then registers their device's MAC for MAC-auth for say 30 days.
I'm thinking about the process below:
- Employee attempts to connect to the Employee-SSID, the AP/GW will trigger a RADIUS authentication request to RADIUS Server.
- RADIUS server then checks the credentials against AD.
- After verifying the password, the RADIUS server will prompt PingID to trigger the MFA challenge.
- The user completes the MFA challenge, and if successful, the RADIUS server grants network access to the employee.
- Device MAC will then get stored to RADIUS for a number of days (lets say 30 days), so user don't have to reauthenticate if using the same device.
What do we need to get this to work? We do not have Clearpass.
I'm not at all an expert with RADIUS / MFA, so I do not fully understand how those integrations work.
Thank you.
Vascarf