Security

Hi

We would like to use Clearpass to perform two-factor authentication for a VPN box. The VPN box would send a radius request to Clearpass which authenticates the user against AD. Then Clearpass should send an SMS with the code to the users' number (AD telephone field?) which the users would have to input in a form. Is this possible? If yes, how would we be able to do this?

Hi Tim.

Is there any examples of how to integrate CPPM with 3rd party vpn devices that use CPPM for user authentication with 2FA with SMS ?

Im stunned that this is not an option within Clearpass. I mean, they already have all the elements to make this work, eg: SMS engine, full control of the radius process, Access to AD.

Im sad that I have to tell the customer that they have to keep a separate redundant NPS cluster running even after they have moved all auth to Clearpass, just to have MFA. Its annoying, when it seems you are 95% of the way to make it happen.

How do I submit a feature request?

Hi

To file a feature request, go to: https://innovate.arubanetworks.com/

Done, please upvote if anyone find this useful as well.

https://innovate.arubanetworks.com/ideas/SEC-I-1197

I'll add the same response here for benefit of others:

"SMS is not a recommend second factor. NIST has recommended against its use. Stronger second factors should be used (and are already supported in CPPM). The SMS functionality in Guest was designed for low risk usage like validating a guest's phone number. We do not have plans to extend this feature."

A lot of customers use SMS as a two factor for the internal users.

Is there guides and support for integrating other "phone authentication" methods, like Google Authenticator or similar apps you can have on the phone. What are the Aruba recommendations for 2FA or Multi Authentication ?