Security

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave

This is not a recommended deployment model. Phone call or SMS-based second factor is quite pointless.

------------------------------
Tim C
------------------------------

Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave

Hi Tim

Thanks for the reply, unfortunately we have to cater for all users and phone call or SMS is the only option for some.
We have ruled out the use of SMS or token as this requires the use of PAP and it appears you have to disable "Allow user to save passwords" in the connection profile which seems to break things for OSX and iOS devices.

I have a follow-up question. In order to get this working I had to disable IKEv2 in the connection profile otherwise I found that you had approximately a 5 second window in which to approve the sign in request on the app when using IKEv2 with eap-mschapv2. With IKEv2 disabled and mschapv2 set as the authentication protocol in the authentication profile it works as above with the 30 second limitation.

Our setup is, VIA controller > Clearpass proxying to NPS with MFA extension. When using IKEv2 I can see in the access tracker that an access accept is being returned to the controller, however if you do not accept the sign in request on the app within about 5 seconds VIA fails to connect. Any idea why this could be, is there a timeout setting I've missed?

Thanks

Dave


Original Message:
Sent: May 04, 2021 10:30 AM
From: Tim C
Subject: VIA and Microsoft Authenticator MFA

This is not a recommended deployment model. Phone call or SMS-based second factor is quite pointless.

------------------------------
Tim C

Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave

Unsure if it is relevant, there is a VIA Technote on using Microsoft Cloud MFA together with VIA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave

Thanks Herman, I did follow that document while I was testing but it seems to just suggest using IKEv1
Original Message:
Sent: May 05, 2021 04:35 AM
From: Herman Robers
Subject: VIA and Microsoft Authenticator MFA

Unsure if it is relevant, there is a VIA Technote on using Microsoft Cloud MFA together with VIA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave

From the document:
- PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.
- CHAPV2 and EAP support phone call and mobile app notification.
I would assume (have not tested) that EAP is possible with IKEv2. PAP may only be available on IKEv1, however with EAP-GTC in v2, you might be able to get it working as well. The document seems to describe quite closely what you are asking.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: May 07, 2021 06:09 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Thanks Herman, I did follow that document while I was testing but it seems to just suggest using IKEv1
Original Message:
Sent: May 05, 2021 04:35 AM
From: Herman Robers
Subject: VIA and Microsoft Authenticator MFA

Unsure if it is relevant, there is a VIA Technote on using Microsoft Cloud MFA together with VIA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave

Thanks for the reply. I have setup the service as per the document and it does work but with some fairly major limitations.
As it says in the document, when configured with IKEv1 and PAP in order to get the text message or verification code working, you have to disable the "allow user to save password" option, unfortunately this causes XAuth to fail on Mac devices so has to be switched on. So that rules out text and verification code.
With IKEv1 and MSCAHPv2, push notification and phone call work, as long as you are quick as you only have 30 seconds due to the auth server timeout.
I would obviously prefer to use IKEv2 as the IETF use phrases like "IKEv1 is deprecated and MUST NOT be deployed" and "Systems that support IKEv1 but not IKEv2 are most likely also unsuitable candidates for continued operation".
When you turn on IKEv2 with MSCHAPv2, push notifications via the app still work but for some reason that 30 second time limit becomes around 5 seconds, so I'm wondering if there is a setting that I've missed for this, I can't find anything.
I currently have a TAC case open via our partner for this so hopefully will get somewhere with it, but thought I would ask in case anyone else has tried.

Thanks

Dave
Original Message:
Sent: May 11, 2021 10:54 AM
From: Herman Robers
Subject: VIA and Microsoft Authenticator MFA

From the document:
- PAP supports all the authentication methods of Azure MFA in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.
- CHAPV2 and EAP support phone call and mobile app notification.
I would assume (have not tested) that EAP is possible with IKEv2. PAP may only be available on IKEv1, however with EAP-GTC in v2, you might be able to get it working as well. The document seems to describe quite closely what you are asking.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: May 07, 2021 06:09 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Thanks Herman, I did follow that document while I was testing but it seems to just suggest using IKEv1
Original Message:
Sent: May 05, 2021 04:35 AM
From: Herman Robers
Subject: VIA and Microsoft Authenticator MFA

Unsure if it is relevant, there is a VIA Technote on using Microsoft Cloud MFA together with VIA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave

This file seems to be missing and also removed from ASP. If you have it, can you share it here?

------------------------------
Jason Leong Kwong Fei
------------------------------

Original Message:
Sent: May 05, 2021 04:35 AM
From: Herman Robers
Subject: VIA and Microsoft Authenticator MFA

Unsure if it is relevant, there is a VIA Technote on using Microsoft Cloud MFA together with VIA.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: May 04, 2021 08:17 AM
From: David Gratton
Subject: VIA and Microsoft Authenticator MFA

Hi All

I've been doing some testing with VIA and Clearpass with Microsoft MFA using the NPS extension. Managed to get it working however there are some limitations, one of which is the maximum that can be set for the authentication server timeout is 30 seconds, which is just about long enough for a push notification but a bit of a stretch for phone call authorization. We are currently running AOS 8.6.0.7 does anyone know if this has been changed in a later version and can be set to something longer than 30 seconds.

Thanks

Dave