Ukraine flag

We stand with our friends and colleagues in Ukraine. To support Ukraine in their time of need visit this page

> Aruba ClearPass 2FA

Aruba ClearPass 2FA

This guide shows how to set up two-factor authentication for Aruba switches. This requires Aruba ClearPass to be integrated with Protectimus’ Multi-Factor Authentication (MFA) solution. You can use the Protectimus Cloud MFA Service or the Protectimus On-Prem MFA platform, which should be installed in the client’s environment or private cloud.

The Protectimus Two-Factor Authentication Server communicates with Aruba network equipment using the RADIUS authentication protocol. The Protectimus RADIUS Server component acts as a RADIUS server:

  1. It accepts an incoming RADIUS authentication request.
  2. Then, it accesses the user store (Active Directory, etc.) to confirm the user’s login and password.
  3. The next step is to check the one-time password. To do this, Protectimus RADIUS Server contacts the Protectimus two-factor authentication server.
  4. If both authentication factors are correct, Protectimus RADIUS Server allows the user to connect to the Aruba switch.

The diagram below shows how the Protectimus two-factor authentication solution for Aruba network equipment works.

MFA Aruba Switch - how to enable via RADIUS

1. How Aruba Switches Two-Factor Authentication (2FA) Works

Two-factor authentication (2FA / MFA) protects user accounts from attacks such as brute force, phishing, keyloggers, man-in-the-middle, social engineering, data spoofing, etc.

After you set up two-factor authentication for Aruba switches to connect to Aruba networking equipment, users will use two different authentication factors.
  1. The first factor is login and password (what the user knows);
  2. The second factor is a one-time password generated using a hardware OTP token or a smartphone (which belongs to the user).
To hack a user account, an attacker must get access to two passwords at once, which is almost impossible. At the same time, the attacker has only 30 seconds to crack and use one of these passwords.

2. How to Enable MFA for Aruba Switch

You can set up Aruba Switch two-factor authentication (2FA) with Protectimus using the RADIUS protocol:
  1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
  2. Install and configure Protectimus RADIUS Server.
  3. Add Protectimus as RADIUS Server for your Aruba Switch.

2.1. Get Registered and Configure Basic Protectimus Settings

  1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
  2. Add Resource.
  3. Add Users.
  4. Add Tokens or activate Users’ Self Service Portal.
  5. Assign Tokens to Users.
  6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Aruba switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Aruba Switch

There are two options to configure multi-factor authentication for Aruba switch via RADIUS:
  • WebUI configuration. Available for the older versions of Aruba ClearPass.
  • CLI configuration. Newer versions of Aruba switches can be configured only through the configuration console.
Follow only the steps of the method you choose.

How to configure MFA for Aruba switch via WebUI
  1. In the Aruba Networks ClearPass WebUI Console, go to Configuration –> Security –> Authentication –> Servers.
  2. Select RADIUS Server to display the RADIUS Server List.
  3. Provide a Name for the new server, e.g. Protectimus, and click Add.
  4. Select the name to configure the parameters, such as IP Address; and then check Mode to activate the server.
  5. Click Apply.
  6. Select Server Group to display the Server Group List.
  7. Provide a Name for the new server group, e.g. corp_radius, and click Add.
  8. Select the name to configure the parameters.
  9. Under Servers, select New to add a server to the group.
  10. Select the server (i.e. Protectimus) from the dropdown menu and click Add Server.
  11. Click Apply.
  12. Go to Configuration –> Management –> Administration.
  13. Under Management Authentication Servers, select a management role, e.g. root, for the Default Role.
  14. Check Mode to activate.
  15. For the Server Group, select the newly created group, i.e. corp_radius.
  16. Click Apply.

How to configure MFA for Aruba switch via CLI

How to Add New RADIUS Server
aaa authentication-server radius Protectimus
  host <ipaddr>

How to Add New Server Group
aaa server-group corp_radius
  auth-server Protectimus

How to Define Role for Server Group
aaa authentication mgmt
  default-role root
  server-group corp_radius

Integration of two-factor authentication (2FA/MFA) for your Aruba ClearPass is now complete. If you have other questions, contact Protectimus customer support service.
Last updated on 2023-01-04