Security

Hi,

We have a customer who wants to use AD 802.1x auth with OTP (SMS or email). The OTP will be sent directly from clearpass without the aid of third party products.

The flow will be like this: Enter AD username and password for 802.1x -> User gets default role which will redirects to captive portal to enter the OTP -> user enter the OTP sent via SMS/Email -> user gets the proper role

Is this possible? 

Thank you.

That may work, however you should not use AD username/password to do 802.1X authentication (PEAP) as it puts the user password at risk. Instead, use EAP-TLS or TEAP for secure access. Also, some clients don't handle captive portal on 802.1X networks very well. You may not get the captive portal automatically as the operating system may assume that 802.1X together with captive portal is an unusual combination.

I would try to move away your customer from this idea.

Hi,

We have a customer who wants to use AD 802.1x auth with OTP (SMS or email). The OTP will be sent directly from clearpass without the aid of third party products.

The flow will be like this: Enter AD username and password for 802.1x -> User gets default role which will redirects to captive portal to enter the OTP -> user enter the OTP sent via SMS/Email -> user gets the proper role

Is this possible? 

Thank you.

Hi Herman, Thank you for your input, i will inform the customer about it.

In the meantime, could you explain how this would work?

I see in this link https://www.linkedin.com/pulse/multifactor-authentication-aruba-clearpass-sushanth-mascarenhas/ that they use captive portal authentication before the OTP, but im not sure how this works with 802.1x before the OTP part. How do i get the CP to send the OTP without captive portal auth?

That may work, however you should not use AD username/password to do 802.1X authentication (PEAP) as it puts the user password at risk. Instead, use EAP-TLS or TEAP for secure access. Also, some clients don't handle captive portal on 802.1X networks very well. You may not get the captive portal automatically as the operating system may assume that 802.1X together with captive portal is an unusual combination.

I would try to move away your customer from this idea.

Hi,

We have a customer who wants to use AD 802.1x auth with OTP (SMS or email). The OTP will be sent directly from clearpass without the aid of third party products.

The flow will be like this: Enter AD username and password for 802.1x -> User gets default role which will redirects to captive portal to enter the OTP -> user enter the OTP sent via SMS/Email -> user gets the proper role

Is this possible? 

Thank you.

Don't combine 802.1X + MFA.  It is an awful user experience.... 

Hi Herman, Thank you for your input, i will inform the customer about it.

In the meantime, could you explain how this would work?

I see in this link https://www.linkedin.com/pulse/multifactor-authentication-aruba-clearpass-sushanth-mascarenhas/ that they use captive portal authentication before the OTP, but im not sure how this works with 802.1x before the OTP part. How do i get the CP to send the OTP without captive portal auth?

That may work, however you should not use AD username/password to do 802.1X authentication (PEAP) as it puts the user password at risk. Instead, use EAP-TLS or TEAP for secure access. Also, some clients don't handle captive portal on 802.1X networks very well. You may not get the captive portal automatically as the operating system may assume that 802.1X together with captive portal is an unusual combination.

I would try to move away your customer from this idea.

Hi,

We have a customer who wants to use AD 802.1x auth with OTP (SMS or email). The OTP will be sent directly from clearpass without the aid of third party products.

The flow will be like this: Enter AD username and password for 802.1x -> User gets default role which will redirects to captive portal to enter the OTP -> user enter the OTP sent via SMS/Email -> user gets the proper role

Is this possible? 

Thank you.

Hi,

We have a customer who wants to use AD 802.1x auth with OTP (SMS or email). The OTP will be sent directly from clearpass without the aid of third party products.

The flow will be like this: Enter AD username and password for 802.1x -> User gets default role which will redirects to captive portal to enter the OTP -> user enter the OTP sent via SMS/Email -> user gets the proper role

Is this possible? 

Thank you.