Security

Reply
Highlighted
Frequent Contributor I

2FA for 802.1X with Okta

Hi Aruba Community,


I've seen a few posts about this but I haven't found a definitive answer. I'm working with a customer who would like to enable 2FA for a wireless 802.1X workflow. They currently have Okta integrated in with their environment. I did find a how-to post for a similar setup using RSA SecureID and setting the authentication source as a token server.

 

I've also found some documentation on the Okta side of the house supporting a RADIUS configuration. Has anyone successfully been able to get Okta to work as a 2FA authentication server for 802.1x? Any advice or steps to configure? Or does anyone have other solutions that they can recommend?

 

Thanks in advance!

Guru Elite

Re: 2FA for 802.1X with Okta

MFA with 802.1X is not recommended as the user experience is very poor and in some cases, requires a custom supplicant to be installed on the device.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: 2FA for 802.1X with Okta

Thanks Tim! - Can you elaborate on what you mean by a poor user expereince?

 

And do you have any other recommendations for customers wishing to pursue MFA as an option? Perhaps EAP-TLS / Onguard combo?

Frequent Contributor I

Re: 2FA for 802.1X with Okta

I've also seen some community posts regarding some "sandwich" workflows.. This seems like a workable solution. Was anyone able to get this working or is there any documentation on such a solution?

Frequent Contributor I

Re: 2FA for 802.1X with Okta

A captive portal (where I can customize the MFA cache) would work for their needs. I only however see that Duo is supported and not Okta. - Has anyone got this working with Okta?

Guru Elite

Re: 2FA for 802.1X with Okta

The sandwich flow is a poor user experience as the user's network session is interrupted and the captive portal browser may not fire reliably.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: 2FA for 802.1X with Okta

Thanks! - The more I thought about it, the more I realized the inherent challenges with the solution. We're going to steer the customer away from these approaches. We have some internal CISO advisors who are going to address it with the customer's security team. EAP-TLS and some combination of additional authorization checks should be sufficient.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: