Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass two-factor with Google Authenticator

This thread has been viewed 28 times

  • 1.  Clearpass two-factor with Google Authenticator

    Posted Dec 11, 2017 09:22 AM

    Hi All

    I am looking into two-factor authentication for wireless (client request). We have Aruba Controllers, Instants, Clearpass and Airwave in the environment.

     

    What we want is on the enterprise WiFi (802.1x) we want to use Google Authenticator to generate a token for the user to use when connecting to the wireless.

     

    What we had in mind is something similar to how the clients PaloAlto VPN currently works.
    The connecting user folows instructions and registers with their AD domain credentials on a Palo Alto portal for VPN. They receive a QR code (or normal coded string) for their VPN after registering through the Palo Alto VPN portal - the registration uses the Active Directory Username and Password for authentication - the Google Token for the user is associated to the AD account.

    Then when the user connects to the VPN using their AD credentials the Token entry appears and they enter the Token they get (this from within the Google Authenticator App) to complete the connection.

     

    They now want the same when connecting to wireless - they want to use their AD credentials and then aswell as the Two-Factor token for authentication - this to be seperate from their PaloAlto setup.

     

    Is this Possible and where do I start looking for information to achieve this. I am thinking of using Clearpass similar to what you would do for RSA and Fortigate Authenticators, but I have no idea where to look and start for Google Authenticator.
    Any help/advice will be greatly apreciated.

     

     



  • 2.  RE: Clearpass two-factor with Google Authenticator

    EMPLOYEE
    Posted Dec 11, 2017 09:26 AM

    *ClearPass

     

    So you have an existing server serving as the Google Authenticator OTP server?

    Just a heads up, 802.1X + MFA for each authentication is not recommended.



  • 3.  RE: Clearpass two-factor with Google Authenticator

    Posted Dec 11, 2017 09:48 AM

    Hi

    I believe the client does have one yes - however from what I understood from the request it needs to be a seperate server.

    Hence I am still looking into the server side aswell. I see there is code for Linux based Google OTP server available from https://github.com/google/google-authenticator what I will be looking at.

     

    I see there a number of edits to make in the PAM module - what will be required there I am also still in the dark.



  • 4.  RE: Clearpass two-factor with Google Authenticator
    Best Answer

    EMPLOYEE
    Posted Dec 11, 2017 10:10 AM
    If they have an existing server, you'd just configure that as a token server in ClearPass.

    As mentioned in the previous post, please do not try to do this with a traditional 802.1X authentication.


  • 5.  RE: Clearpass two-factor with Google Authenticator

    Posted Jun 05, 2019 03:35 PM

    How about for management auth? does it work? has it been tested?