New Contributor

Using ClearPass for IDP AAA with OTP via email/sms?



  We're attempting to add an additional layer of security to certain resources that are authenticated/authorized through our SAML2 IDP (NetIQ Access Manager).  One of the auth method available is RADIUS, so we're wondering if ClearPass can help us with the functionality we want without building/buying another RADIUS server.  


  The functionality we want to add is the ability to use SMS and/or email (preferably user-chosen at login time) to send an OTP token as a second layer of authentication (after user/pass).  Assuming we provide the SMS and email gateways, is this something CP can handle and has anyone ever done such a thing?  Any reason I could be missing why we wouldn't want to do this using CP?

Aruba Employee

Re: Using ClearPass for IDP AAA with OTP via email/sms?

I think you can absolutely use ClearPass to do this.  We have the ability to send custom HTTP messages as the result of an authentication event (in your case using radius).  You should be able to use this to send a custom payload to your gateway to trigger the OTP.


If you have not checked out our ClearPass Exchange page then that is a good place to start.  Hopeully it gives you a feel for how to construct the outbound messages depening on what your gateway accepts.  Tehnote attached to this post


As a side note ClearPass itself supports SAML2.0 for access to the admin, guest, insight or onboard login pages and you can levearge our skin technology for SSO portals.


Let us know how you get on

Search Airheads
Showing results for 
Search instead for 
Did you mean: