Hi Christopher ,
Thanks for your reply.
We are using fortiauthentcator as Radius and we tested
The radius authentication via AD works.
However , to add another layer of security ,customer want MFA ( token based)
So I am interested in knowing if additional config on Aruba switch is needed for it . Can you send the commands ?
------------------------------
AG
------------------------------
Original Message:
Sent: Apr 29, 2021 08:26 AM
From: Christopher Wickline
Subject: Multifactor auth
All Aruba switches support TACACS, (which the Forti authenticator is also a tacacs server).
You'll need to configure the Aruba switch to point to the fortiauthenticator for tacacs.
tacacs-server host x.x.x.x
tacacs-server key <tacacs password>
aaa authentication ssh login tacacs
That's all that would be done on the Aruba Switch side, everything else needs to be done on the FortiAuthenticator. (I assume you are familiar with FortiAuthenticator, so below are general high level steps)
Edit your Remote AD user and assign MFA token
Add the Aruba Switch as a TACACS client
Create a TACACS policy, using AD as Identity source, and enforce two factor authentication.
Setup the appropriate TACACS response
Once that's done, when the switch sends a tacacs request, the FortiAuthenticator will verify AD credentials are correct, and will send the push for the FortiToken. If the user passes both, the FortiAuthenticator will return a accept to the switch and let the user login. (You may need to increase timeout on the switch because of the delay added by 2FA)
------------------------------
Christopher Wickline
Original Message:
Sent: Apr 29, 2021 01:03 AM
From: Anupam Gaur
Subject: Multifactor auth
Hello ,
We have a customer who has Aruba 2900 series and 16.x AOS version
They want to Integrate The wired switch with Fortinet FortiAuthenticator which provides the token ( Same as RSA token)
Goal is to have MFA configured on Aruba Switch . The Fortiauthenticator is also acting as Radius Server .
Can someone give a confimation that Aruba Switch Support MFA ( AD User Password + Token) and provide the required commands to do it
------------------------------
AG
------------------------------