Security

We are in the process of looking at using Clearpass to Proxy Radius requests to Microsoft NPS and then onto Azure for MFA authentication. I have gotten this to work however I ran into an issue.

(Right now Microsoft NPS is the only way to talk to Microsoft Azure MFA)

I noticed that in Clearpass under Server Configuration, the maximum response delay for Radius can only be set to a maximum of 5 seconds, however, Microsoft is recommending up to 60 second delay as the user will either have to enter a token code or approve of the request via the Authenticator app.

Is there a workaround?

This seems to have been an issue with TACACS at one point and seems to be addressed but not for Radius:

https://community.arubanetworks.com/t5/Security/ClearPass-TACACS-timeout/td-p/433414

https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.7.3/Default.htm#WhatsNew/NewFeatures_PolicyMgr.htm

For multi-factor authentication (MFA) workflows that use TACACS+, a new TACACS+ Authentication Timeout service parameter lets you specify the TACACS server’s timeout interval. The default value for this parameter is 30 seconds. The minimum allowed value is 1 second, and the maximum allowed value is 300 seconds (5 minutes). Previously, the default timeout value was 10 seconds and could not be changed. An extended TACACS+ timeout interval might be needed when MFA workflows such as phone calls or text messages are used, which can take longer for the user to complete. To use this feature, go to the Administration > Server Manager > Server Configuration and select the service. On the Service Parameters tab, select Tacacs server as the service and then configure a value for the TACACS+ Authentication Timeout parameter. (#43268)

Tim, from what I have read you can only connect to Azure MFA if you have an on-prem MFA server.  We are using the Azure cloud MFA server.  

Are you sure you can connect to the cloud MFA?  If so, how?

This is the setup we're going with:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

Yes, I know about the standalone server however I've been told by our Windows group that we will not be deploying the onsite MFA server as it adds complications into our setup.

So I have no choice but to proxy through a NPS server with the MFA plugin

Hey TIm, any documentation on how to set up on prem Azure?

I am working on an Azure MAF - Cisco ASA  - Clearpass integration for VPN users.

Thanks,

Hi,

sorry to "misuse" this thread.

We do also run MS Azure MFA in the same config you do but we ran into an issue:

The MS NPS Server is only "talking" EASCII but NOT utf-8, this leads to several characters not beeing correctly interpreted. 

I have not found a way to either use utf-8 on the MS NPS nor EASCII on the ClearPass.

Did you run into the same issue or do you have any workaround?

Thanks for taking the time to read this