Okta Integration with Aruba ClearPass for MFA support (Radius and TACACS)

In a pervious post I covered how to integrate Aruba VIA with Okta MFA. Since we don’t want the network admins to feel left out, this guide will show you how to integrate Okta with Aruba ClearPass to provide MFA support for Aruba devices with both Radius and TACACS support.

Before you Begin

Go through the Okta radius (on-prem) service configuration guide. If you’ve already deployed Okta for VIA or another app, you can skip step 1 and reuse the existing agent. https://help.okta.com/en/prod/Content/Topics/integrations/getting-started.htm

Steps to Configure Aruba (TACACS) integration with Okta MFA

To configure the Radius application in Okta, complete the following steps:

  • Step 1: Install the Okta (on-prem) server agent
  • Step 2: Configure Radius application in Okta
  • Step 3: Configure ClearPass to proxy TACACS/Radius request to the Okta agent
  • Step 4: Configure AOS management authentication profile
  • Step 5: Enable MFA in Okta (optional)

Step 1: Install the Okta Radius server agent

  1. From the Okta portal download the Okta radius server agent
Graphical user interface, text, application, email

Description automatically generated
  1.  Install the agent on the server (Cloud or Local)

AWS: https://help.okta.com/en/prod/Content/Topics/integrations/aws-radius-intg-install-radius.htm

Local: https://help.okta.com/en/prod/Content/Topics/integrations/getting-started-overview.htm

  1. When prompted follow the URL to Authorize the agent and link to the Okta account
https://{yourorg.okta.com}/oauth2/auth?code={code}
Graphical user interface, application

Description automatically generated

Step 2: Configure Radius application in Okta

  1.  Log in to the Okta administration console.
  2. Click Applications > Browse App Catalog and search for Radius
  3. Select Radius Application from the list.
Graphical user interface, application

Description automatically generated
  1. Click Add
  2. Give the application a name and click Next
Graphical user interface, text, application, email

Description automatically generated
  1. Open the application, click Sign On and under Settings click Exit
  2. Set the radius port (default 1812)
  3. Set a shared secret, this will need to match what is set in ClearPass
  4. Click Save
  5. Under Advanced Radius Settings click Edit
  6. Under Authentication click the checkbox for “Accept password and security token in the same login request” and “Permit Automatic Push for Okta Verify Enrolled Users”
Graphical user interface, text, application, email

Description automatically generated
  1. Click Save

Step 3: Configure ClearPass (TACACS/Radius)

Management access requests from Aruba devices will be sent to ClearPass first then to Okta AuthN + MFA.

ClearPass TACACS Configuration:

  1. Log into Aruba ClearPass, Click Configuration > Services > Add
  2. Name the Service
  3. Select Type: TACACS + Enforcement
  4. Optional enable checkbox of Authorization
  5. Then click Next
Graphical user interface, application

Description automatically generated
  1. Under Authentication click Add New Authentication Source
  2. Name the AuthN source
  3. Type is Token Server
  4. Optional add an Authorization source
  5. Click the Primary tab
  6. Enter the server name (or IP) of the Okta on-prem agent
  7. Set protocol Radius and match the Port and Secret to what you configured in the Okta Service (Step 1)
Graphical user interface

Description automatically generated
  1. Click Save
  2. Select the new Okta Authentication as the Source
Graphical user interface, text, application

Description automatically generated
  1. Click Next
  2. Under Authorization – add any sources like AD/LDAP for which you may want to grab additional context about the user.
  3. Click Next
  4. Roles are optional but may be required for differentiated access like Read-Only vs Read-Write
  5. Click Next
  6. Under Enforcement Policy – Use an existing policy if defined or create a new one for role-based access
Graphical user interface, application, Teams

Description automatically generated
  1. Click Save

ClearPass Radius Configuration:

  1. Log into Aruba ClearPass, Click Configuration > Services > Add
  2. Name the Service
  3. Select Type: RADIUS Proxy
  4. Example rules as follows:
Graphical user interface, application

Description automatically generated
  1. Optional enable checkbox of Authorization
  2. Click Next
  3. Under Authorization – add additional source to pull context about the user (IE AD or LDAP) if required
  4. Click Next
  5. Roles are optional but may be required for differentiated access like Read-Only vs Read-Write
  6. Click Next
  7. Under Proxy Targets – Click Add New Proxy Target
  8. Enter Name, Hostname (or IP), Protocol Radius, and the shared secret and port as defined in Step 1.
Graphical user interface, application

Description automatically generated
  1. Click Save
  2. Verify Okta is set as the Proxy Target list
  3. Click Next
  4. Under Enforcement Policy – Use an existing policy if defined or create a new one for role-based access
Graphical user interface, text, application

Description automatically generated
  1. Click Save

Step 4: Configure AOS Authentication Profile

  1. Log into Aruba Mobility Conductor
  2. Under Configuration > Authentication > Auth Servers > All Servers > Click the + Sign
  3. Give the Server a name, Type RADIUS, and IP/Hostname of ClearPass
Graphical user interface

Description automatically generated
  1. Click Submit
  2. Then Click the name of server to expand the options
  3. Add the shared secret same (same is in ClearPass)
Graphical user interface, application

Description automatically generated
  1. Click Submit
  2. Then click the + sign under Server Groups
  3. Add a name and click submit, then click on the name to expand the list
  4. Click the + sign and add the ClearPass server you just created
Graphical user interface, application, table

Description automatically generated
  1. Click Submit and push the pending changes
  2. Under Configuration > System > Admin > Admin Authentication Options
  3. Change the server group to ClearPass (or what was configured in the previous step)
  4. Click Submit and push the pending changes

Step 5: (Optional) Enable MFA

This step will enable MFA support for VIA. Once the user initiates the VIA connection, Okta will trigger an MFA push notification. Upon the user successfully clicking accept, the VIA connection will establish.

  1. From the Oka portal select the Aruba VIA application
  2. Under Sign On Policy – click Add Rule
  3. Give the rule a name (MFA Always as an example)
Application

Description automatically generated with low confidence
  1. Change the Action access to Always and verify prompt for factor is checked
Graphical user interface, text, application, email

Description automatically generated
  1. Click Save
Graphical user interface, text, application

Description automatically generated
  1. Verify the MFA policy is in the correct order and enabled

Test OKTA + MFA Management Access

  1. Log out of the Mobility Conductor or open a new private browser window
  2. Access the Mobility Conductor login page and enter the user Credentials

-This AuthN request will be sent to ClearPass then to Okta. Depending on where your user database lives, this could be AD/LDAP creds or Okta managed. This will depend on how the Okta service is configured.

Graphical user interface, application

Description automatically generated

 

 

Text

Description automatically generated

 

 

Graphical user interface

Description automatically generated

  1. SSH to the Mobility Conductor or Managed Device and enter the user credentials
Graphical user interface, application

Description automatically generated
  1. Okta MFA push will happen on the device. After you click “Yes it was me” you will be logged in.
  2. Verify the proper role was assigned to the user
Text

Description automatically generated

Testing and Troubleshooting:

TIP: Be sure to enroll your device in MFA prior to testing. There is no workflow that support adding the device at the time of first authentication. It must be done prior to testing.

If push notification fails but client still connects – verify MFA policy is enabled under the VIA application Sign On settings in Okta

If the credentials are valid but the client fails to connect – verify the gateway has connection to the Okta radius service. For AOS8 the AAA Test Server can be used to verify connection. From the gateway select Diagnostics > AAA Test Server, select Okta, auth method PAP and enter the username / password.

Graphical user interface, application

Description automatically generated

If authentication fails, check the Okta application logs. Log into Okta and under the application, click view logs.

Graphical user interface, application

Description automatically generated

Verify the event was seen by Okta and the reason for the failure.

Graphical user interface, text, application, email

Description automatically generated

TIP: Make sure the proper group or the individual user is assigned to the VIA application in Okta. If not the authentication will fail.

Graphical user interface, application

Description automatically generated