Cisco Anyconnect Okta

Posted on |



Cisco Anyconnect Okta

This guide details how to configure Cisco ASA VPN to use the Okta RADIUS Server Agent.

Okta and Cisco ASA interoperate through RADIUS. For each Cisco ASA appliance, you can configure AAA Server groups which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

Okta is a security tool that provides sign-on and authentication services for LHC Group applications and services. It will help to manage logins, simplify the sign-on process, and make our systems more secure. You will need to register yourself in Okta to ensure you can access and login to the IT services you use. Okta is the identity provider for the internet. Learn about who we are and what we stand for. MFA for Cisco VPN Discover how Okta provides secure access to your Cisco VPNs with MFA. Configure Cisco Meraki to interoperate with Okta via RADIUS. This guide details how to configure Cisco Meraki wireless access points to use the Okta RADIUS Server Agent and EAP-TTLS. The following network diagram shows the flow between Meraki and several endpoints using Okta.

  1. Okta and Cisco ASA interoperate through RADIUS. For each Cisco ASA appliance, you can configure AAA Server groups which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.
  2. This is a bit of a complicated question. My current setup is a cisco 5515x with anyconnect partialy configured on it. Authentication is running through Okta RADIUS on a windows server.

Topics

  • Before you begin

Before you begin

Anyconnect

Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity: Controllers for mac computers.

Anyconnect
SourceDestinationPort/ProtocolDescription
Okta RADIUS AgentOkta Identity CloudTCP/443
HTTP		Configuration and authentication traffic
Client GatewayOkta RADIUS AgentUDP/1812RADIUS(Default, may be changed in RADIUS app install and configuration)RADIUS traffic between the gateway (client) and the RADIUS Agent (server)

Supported factors

The following MFA Factors are supported:

When integrating with Okta RADIUS, the maximum supported number of enrolled factors is dependent on the size of resulting challenge message. Okta recommends that no more than eight ( 8 ) factor be enrolled at one time.

MFA Factor Password Authentication Protocol
PAP		 Extensible Authentication Protocol - Generic Token Card
EAP-GTC		 Extensible Authentication Protocol - Tunneled Transport Layer Security
EAP-TTLS
Custom TOTP AuthenticationSupportedSupportedSupported
Duo(Push, SMS and Passcode only)SupportedNot supportedNot supported

Supported

Supported

Not supported

Google AuthenticatorSupportedSupportedSupported - as long as challenge is avoided.
For example MFA only or password, MFA.
SupportedSupportedSupported - as long as challenge is avoided.
For example:
MFA-only or password, MFA for TOTP.
Push can work with primary auth + MFA as the push challenge is sent out-of-band.

Supported

Supported

Supported

SupportedSupportedNot supported
SMS authenticationSupportedSupportedNot supported
Symantec VIPSupportedSupportedSupported
SupportedSupportedNot supported
SupportedSupportedSupported

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. Blood allison moorer.
For additional information about the RADIUS apps refer to Configuring RADIUS applications in Okta.

Typical workflow

Task

Description

Download the RADIUS agent
  • Download the Okta RADIUS Agent from the Settings > Downloads page your in Okta org. Note that there are both Windows and Linux agents.
  • For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
Install the Okta RADIUS Agent.
  • Install either the Windows or Linux RADIUS agents as appropriate for your environment.
Configure application
  • In your Okta org, configure the Cisco ASA - RADIUS application.
Configure gateway
  • Using the Cisco ASA Admin Console, configure the Cisco ASA gateway.
Configure optional settings
  • Configure optional settings as required, such as vendor specific attributes.
Test
  • Test the newly integrated agent.

Cisco Anyconnect Mfa Options

Related topics

Cisco Anyconnect Okta

  • Current Cisco ASA and ADSM Configuration Guides: https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.htm
  • Installing the Okta RADIUS Agent under Windows or Linux.