Okta Integration with Aruba ClearPass for MFA support (Radius and TACACS)

Step 1: Install the Okta Radius server agent

Step 3: Configure ClearPass (TACACS/Radius)

Management access requests from Aruba devices will be sent to ClearPass first then to Okta AuthN + MFA.

ClearPass TACACS Configuration:

1. Log into Aruba ClearPass, Click Configuration > Services > Add
2. Name the Service
3. Select Type: TACACS + Enforcement
4. Optional enable checkbox of Authorization
5. Then click Next

6. Under Authentication click Add New Authentication Source
7. Name the AuthN source
8. Type is Token Server
9. Optional add an Authorization source
10. Click the Primary tab
11. Enter the server name (or IP) of the Okta on-prem agent
12. Set protocol Radius and match the Port and Secret to what you configured in the Okta Service (Step 1)

13. Click Save
14. Select the new Okta Authentication as the Source

15. Click Next
16. Under Authorization – add any sources like AD/LDAP for which you may want to grab additional context about the user.
17. Click Next
18. Roles are optional but may be required for differentiated access like Read-Only vs Read-Write
19. Click Next
20. Under Enforcement Policy – Use an existing policy if defined or create a new one for role-based access

21. Click Save

ClearPass Radius Configuration:

1. Log into Aruba ClearPass, Click Configuration > Services > Add
2. Name the Service
3. Select Type: RADIUS Proxy
4. Example rules as follows:

5. Optional enable checkbox of Authorization
6. Click Next
7. Under Authorization – add additional source to pull context about the user (IE AD or LDAP) if required
8. Click Next
9. Roles are optional but may be required for differentiated access like Read-Only vs Read-Write
10. Click Next
11. Under Proxy Targets – Click Add New Proxy Target
12. Enter Name, Hostname (or IP), Protocol Radius, and the shared secret and port as defined in Step 1.

13. Click Save
14. Verify Okta is set as the Proxy Target list
15. Click Next
16. Under Enforcement Policy – Use an existing policy if defined or create a new one for role-based access

17. Click Save

Step 4: Configure AOS Authentication Profile

1. Log into Aruba Mobility Conductor
2. Under Configuration > Authentication > Auth Servers > All Servers > Click the + Sign
3. Give the Server a name, Type RADIUS, and IP/Hostname of ClearPass

4. Click Submit
5. Then Click the name of server to expand the options
6. Add the shared secret same (same is in ClearPass)

7. Click Submit
8. Then click the + sign under Server Groups
9. Add a name and click submit, then click on the name to expand the list
10. Click the + sign and add the ClearPass server you just created

11. Click Submit and push the pending changes
12. Under Configuration > System > Admin > Admin Authentication Options
13. Change the server group to ClearPass (or what was configured in the previous step)
14. Click Submit and push the pending changes

Step 5: (Optional) Enable MFA

This step will enable MFA support for VIA. Once the user initiates the VIA connection, Okta will trigger an MFA push notification. Upon the user successfully clicking accept, the VIA connection will establish.

1. From the Oka portal select the Aruba VIA application
2. Under Sign On Policy – click Add Rule
3. Give the rule a name (MFA Always as an example)

4. Change the Action access to Always and verify prompt for factor is checked

5. Click Save

6. Verify the MFA policy is in the correct order and enabled

Test OKTA + MFA Management Access

1. Log out of the Mobility Conductor or open a new private browser window
2. Access the Mobility Conductor login page and enter the user Credentials

-This AuthN request will be sent to ClearPass then to Okta. Depending on where your user database lives, this could be AD/LDAP creds or Okta managed. This will depend on how the Okta service is configured.

3. SSH to the Mobility Conductor or Managed Device and enter the user credentials

4. Okta MFA push will happen on the device. After you click “Yes it was me” you will be logged in.
5. Verify the proper role was assigned to the user

Testing and Troubleshooting:

TIP: Be sure to enroll your device in MFA prior to testing. There is no workflow that support adding the device at the time of first authentication. It must be done prior to testing.

If push notification fails but client still connects – verify MFA policy is enabled under the VIA application Sign On settings in Okta

If the credentials are valid but the client fails to connect – verify the gateway has connection to the Okta radius service. For AOS8 the AAA Test Server can be used to verify connection. From the gateway select Diagnostics > AAA Test Server, select Okta, auth method PAP and enter the username / password.

If authentication fails, check the Okta application logs. Log into Okta and under the application, click view logs.

Verify the event was seen by Okta and the reason for the failure.

TIP: Make sure the proper group or the individual user is assigned to the VIA application in Okta. If not the authentication will fail.