This knowledge article outlines the procedure for integrating Okta as an external authentication source for Aruba ClearPass Policy Manager (CPPM) using the RADIUS protocol. This configuration allows ClearPass to proxy authentication requests to the Okta RADIUS Agent, enabling organizations to enforce Multi-Factor Authentication (MFA) for network access (such as 802.1X Wi-Fi) or device management access (via TACACS+).

 

• Network Access Control (NAC) and Centralized Identity Management
• Multi-Factor Authentication (MFA)
• Okta Identity Engine(OIE)
• Okta RADIUS Agent
• Aruba ClearPass Policy Manager (CPPM)
• ArubaOS (AOS)
• Implementing Multi-Factor Authentication (MFA) for RADIUS-based authentication, where ClearPass acts as the Network Access Server (NAS) or a RADIUS proxy

The integration requires configuration in three main areas: the Okta RADIUS Agent installation, the Okta Application setup, and the Aruba ClearPass service configuration.

Install and Configure the Okta RADIUS Server Agent

1. Download and install the Okta RADIUS Server Agent from the Okta Administration portal on a dedicated server (on-premises or in the cloud).
2. Follow the provided URL prompt during installation to authorize the agent and link it to the Okta account.

Configure the RADIUS Application in Okta

1. Log in to the Okta Admin Console.
2. Navigate to Applications > Applications and search the Browse App Catalog for "RADIUS Application".
3. Click Add, give the application a name, and click Next.
4. Open the newly created application, go to Sign On, and configure the RADIUS settings.
5. Set the RADIUS Port (default is 1812).
6. Set a Shared Secret. This secret must match the one configured in ClearPass.
7. Click Save.
8. Under Advanced RADIUS Settings, click Edit.
9. Check the boxes for:

• • Accept password and security token in the same login request
  • Permit Automatic Push for Okta Verify Enrolled Users

10. Click Save.

Configure ClearPass to Proxy RADIUS Requests to Okta

1. Log in to Aruba ClearPass Policy Manager (CPPM).
2. Navigate to Configuration > Services and click Add.
3. Name the service (for example, Okta-MFA-RADIUS) and set the Type to RADIUS Proxy.
4. Under the Authorization tab, optionally add additional sources (such as Active Directory or LDAP) to retrieve contextual user information.
5. Navigate to the Proxy Targets tab.
6. Click Add New Proxy Target.
7. Enter a Name (for example, Okta-Agent).
8. Enter the Hostname (or IP) of the server where the Okta RADIUS Agent is installed.
9. Set Protocol to RADIUS.
10. Enter the Port and the Shared Secret (this must match the secret configured in Okta in Step 2).
11. Click Save.
12. Verify the new Okta Proxy Target is set in the Proxy Targets list.
13. Configure the Enforcement Policy to grant appropriate access roles based on the successful Okta authentication result.
    
    

(Optional) Configure ClearPass for Administrative Access (If using TACACS+)

1. If using the TACACS+ protocol for administrative access (for example, to network devices), configure a Token Server authentication source.
2. In ClearPass, create a new Service of Type: TACACS + Enforcement.
3. Under Authentication, add a new Authentication Source.
4. Set the Type to Token Server.
5. In the Primary tab, enter the server name/IP of the Okta on-prem agent and match the Port and Secret.
6. Select this new Okta Authentication source for the service.

(Optional) Configure Network Access Device (for example, Aruba Mobility Conductor)

1. Log in to the network device (for example, Aruba Mobility Conductor).
2. Configure a new RADIUS Server entry that points to the ClearPass Policy Manager IP/Hostname and uses the shared secret defined in ClearPass for the NAS/Client configuration.
3. Configure the appropriate Server Group and Authentication Profile to use the ClearPass server for user authentication.