Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Aruba Employee

From zero to demo - Clearpass, DUO and 2FA

Hello Airheads community

 

This guide shows how to integrate Clearpass and Duo in order to support 2FA, the scenario demoed is to secure the access to AOS-CX switch by using TACACS+ protocol and Duo Push notification.

 

Here is how the integration looks like:

duo clearpass.png

PDF file attached.

 

Experience from end user:

Duo push example.png

 

Regards,

Adolfo

 

PD: Example of Customer feedback when 2FA is used:

https://scholarblogs.emory.edu/lits/2017/03/10/duo-two-factor-authentication-a-major-increase-in-it-security/

Highlighted
New Contributor

Re: From zero to demo - Clearpass, DUO and 2FA

Hi Adolfo

 

Thanks for the guide, may i know does this work for CLI as well? or only GUI access.

 

Thanks and Regards,

 

Leo

Highlighted
Aruba Employee

Re: From zero to demo - Clearpass, DUO and 2FA

Hi Leo, it works for CLI anf GUI

Highlighted
New Contributor

Re: From zero to demo - Clearpass, DUO and 2FA

Hi Adolfo

 

Thanks for the confirmation.

 

Thanks and Regards,

 

Leo

Highlighted
New Contributor

Re: From zero to demo - Clearpass, DUO and 2FA

Dear Adolfo,

 

Interesting Demo. Maybe I please ask what is the purpose of the CentOS Authentication proxy in this setup ? is it possible to integrate Clearpass with DUO directly ?

Highlighted
Aruba Employee

Re: From zero to demo - Clearpass, DUO and 2FA

Hi, it s a DUO product: https://duo.com/docs/authproxy-reference "The Duo Authentication Proxy is an on-premises software service that receives authentication requests from your local devices and applications via RADIUS or LDAP, optionally performs primary authentication against your existing LDAP directory or RADIUS authentication server, and then contacts Duo to perform secondary authentication. Once the user approves the two-factor request (received as a push notification from Duo Mobile, or as a phone call, etc.), the Duo proxy returns access approval to the requesting device or application."

Highlighted
Frequent Contributor I

Re: From zero to demo - Clearpass, DUO and 2FA

What use case are you trying to solve? Let's start there.

Highlighted
New Contributor

Re: From zero to demo - Clearpass, DUO and 2FA

Dear Adolfo,

 

Thank you for your reply.

In my case, I have clearpass already integrated with the Active Directory for primary TACACS Authentication/Authorization.

I want to add a secondary authentication method using a solution like DUO. I am still exploring the options, but the way DUO works is sufficient for my needs.

 

So Basically I only want  DUO to help with the secondary push notification authentication. Do I still need the proxy server ?
Can't clearpass be integrated directly with DUO cloud ?

Highlighted
New Contributor

Re: From zero to demo - Clearpass, DUO and 2FA

Thanks Timms,
Please refer to my reply to Adolfo's answer. I hope you guys can help.

Highlighted
All-Decade MVP 2020

Re: From zero to demo - Clearpass, DUO and 2FA

Thanks Adolfo.

 

So I'm clear, doing TACACS+ with DUO requires two separate CPPM services. One is the standard TACACS+ authentication which could stand on its own as a single factor auth. The second service is the DUO auth service which would get triggered after the first service. Is that correct?

 

We currently use TACACs+ service in CPPM now for many devices. If I wanted to use TACACS+ with DUO for just a subset of these devices would I need to create a new TACACS+ service and pair that with the DUO service? Or is there a way to cull out a subset of devices within the current TACACS+ service to work with DUO?

 

Thanks!

Mike

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: