Security

Hi Aruba Community,

I've seen a few posts about this but I haven't found a definitive answer. I'm working with a customer who would like to enable 2FA for a wireless 802.1X workflow. They currently have Okta integrated in with their environment. I did find a how-to post for a similar setup using RSA SecureID and setting the authentication source as a token server.

 

I've also found some documentation on the Okta side of the house supporting a RADIUS configuration. Has anyone successfully been able to get Okta to work as a 2FA authentication server for 802.1x? Any advice or steps to configure? Or does anyone have other solutions that they can recommend?

 

Thanks in advance!

MFA with 802.1X is not recommended as the user experience is very poor and in some cases, requires a custom supplicant to be installed on the device.

Thanks Tim! - Can you elaborate on what you mean by a poor user expereince?

 

And do you have any other recommendations for customers wishing to pursue MFA as an option? Perhaps EAP-TLS / Onguard combo?

I've also seen some community posts regarding some "sandwich" workflows.. This seems like a workable solution. Was anyone able to get this working or is there any documentation on such a solution?

A captive portal (where I can customize the MFA cache) would work for their needs. I only however see that Duo is supported and not Okta. - Has anyone got this working with Okta?

The sandwich flow is a poor user experience as the user's network session is interrupted and the captive portal browser may not fire reliably.

Thanks! - The more I thought about it, the more I realized the inherent challenges with the solution. We're going to steer the customer away from these approaches. We have some internal CISO advisors who are going to address it with the customer's security team. EAP-TLS and some combination of additional authorization checks should be sufficient.

So i have gotten Okta Radius to work Behind the internal Captive portal but it wont work straight 802.1x due to the fact that OKTA is PAP only and 802.1x defaults to PEAP 

 

but it works via internal captive portal and make it authenticated and point it to your okta radius server 

im using OKTA verify and also if they use the token inside verify they just have to put their password in then put comma behind it with the token key and they will be authenticated 

---

@REgan wrote:

Hi Aruba Community,

I've seen a few posts about this but I haven't found a definitive answer. I'm working with a customer who would like to enable 2FA for a wireless 802.1X workflow. They currently have Okta integrated in with their environment. I did find a how-to post for a similar setup using RSA SecureID and setting the authentication source as a token server.

 

I've also found some documentation on the Okta side of the house supporting a RADIUS configuration. Has anyone successfully been able to get Okta to work as a 2FA authentication server for 802.1x? Any advice or steps to configure? Or does anyone have other solutions that they can recommend?

 

Thanks in advance!

---

 

The Okta RADIUS server is only supported for VPN use cases in CPPM. You should be using SAML for a captive portal workflow.

"supported" is ok but im saying it works and connects just fine.. i personally have a Layer 3 mobility issue between aps to stop my users from reauth to every new VC cluster in the building

In the end we were able to steer our customer in the EAP-TLS direction and do it in a way that satisfies our customer's security requirements. I would recommend this approach per the feedback that I go there.