> Aruba ClearPass 2FA
Aruba ClearPass 2FA
This guide shows how to set up two-factor authentication for Aruba switches. This requires Aruba ClearPass to be integrated with Protectimus’ Multi-Factor Authentication (MFA) solution. You can use the Protectimus Cloud MFA Service or the Protectimus On-Prem MFA platform, which should be installed in the client’s environment or private cloud.
The Protectimus Two-Factor Authentication Server communicates with Aruba network equipment using the RADIUS authentication protocol. The Protectimus RADIUS Server component acts as a RADIUS server:
- It accepts an incoming RADIUS authentication request.
- Then, it accesses the user store (Active Directory, etc.) to confirm the user’s login and password.
- The next step is to check the one-time password. To do this, Protectimus RADIUS Server contacts the Protectimus two-factor authentication server.
- If both authentication factors are correct, Protectimus RADIUS Server allows the user to connect to the Aruba switch.
The diagram below shows how the Protectimus two-factor authentication solution for Aruba network equipment works.
1. How Aruba Switches Two-Factor Authentication (2FA) WorksTwo-factor authentication (2FA / MFA) protects user accounts from attacks such as brute force, phishing, keyloggers, man-in-the-middle, social engineering, data spoofing, etc.
After you set up two-factor authentication for Aruba switches to connect to Aruba networking equipment, users will use two different authentication factors.
- The first factor is login and password (what the user knows);
- The second factor is a one-time password generated using a hardware OTP token or a smartphone (which belongs to the user).
2. How to Enable MFA for Aruba Switch
You can set up Aruba Switch two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
- Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
- Install and configure Protectimus RADIUS Server.
- Add Protectimus as RADIUS Server for your Aruba Switch.
2.1. Get Registered and Configure Basic Protectimus Settings
- Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
- Add Resource.
- Add Users.
- Add Tokens or activate Users’ Self Service Portal.
- Assign Tokens to Users.
- Assign Tokens with Users to the Resource.
2.2. Install and Configure Protectimus RADIUS ServerDetailed instructions for installing and configuring the Protectimus RADIUS Server for Aruba switches 2-factor authentication using RADIUS are available here.
2.3. Add Protectimus as RADIUS Server for your Aruba SwitchThere are two options to configure multi-factor authentication for Aruba switch via RADIUS:
- WebUI configuration. Available for the older versions of Aruba ClearPass.
- CLI configuration. Newer versions of Aruba switches can be configured only through the configuration console.
How to configure MFA for Aruba switch via WebUI
- In the Aruba Networks ClearPass WebUI Console, go to Configuration –> Security –> Authentication –> Servers.
- Select RADIUS Server to display the RADIUS Server List.
- Provide a Name for the new server, e.g. Protectimus, and click Add.
- Select the name to configure the parameters, such as IP Address; and then check Mode to activate the server.
- Click Apply.
- Select Server Group to display the Server Group List.
- Provide a Name for the new server group, e.g. corp_radius, and click Add.
- Select the name to configure the parameters.
- Under Servers, select New to add a server to the group.
- Select the server (i.e. Protectimus) from the dropdown menu and click Add Server.
- Click Apply.
- Go to Configuration –> Management –> Administration.
- Under Management Authentication Servers, select a management role, e.g. root, for the Default Role.
- Check Mode to activate.
- For the Server Group, select the newly created group, i.e. corp_radius.
- Click Apply.
How to configure MFA for Aruba switch via CLI
How to Add New RADIUS Server
aaa authentication-server radius Protectimus host <ipaddr> enable
How to Add New Server Group
aaa server-group corp_radius auth-server Protectimus
How to Define Role for Server Group
aaa authentication mgmt default-role root enable server-group corp_radius
Integration of two-factor authentication (2FA/MFA) for your Aruba ClearPass is now complete. If you have other questions, contact Protectimus customer support service.