In this guide:
A version of this document exists on our help portal
Okta and Cisco ASA VPN interoperate through the Okta RADIUS Agent. For authentication, the agent translates RADIUS authentication requests from the VPN device into Okta API calls. This guide explains how to configure your Cisco ASA VPN device and the Okta RADIUS Agent.
For authorization, the Cisco device interacts directly with an AD/LDAP Server to pull group memberships and attributes.
|Authentication with Okta Credentials via RADIUS||Yes|| |
|Authentication with Okta Credentials via SAML||Yes|| |
|Multi-factor authentication via RADIUS||Yes||Use the Cisco AnyConnect client.|
|Multi-factor authentication via SAML||Yes|| |
|Group memberships/Attributes via RADIUS||No|| |
Download and install the RADIUS agent according to Installing the Okta Radius Agent
- Create an Authentication, Authorization, and Accounting (AAA) Server Group on the Cisco ASA using the ADSM management software.
- Create one or more AAA Server Profiles within the AAA group.
- Configure the Cisco ASA to use the AAA group for VPN access.
- Log into the Cisco ADSM interface with admin rights.
- Go to Configuration > AAA Server Groups.
- Click Add to add a new AAA Server Group.
- Enter a friendly server group name.
- Set the protocol to RADIUS.
- Accept the default settings for all other fields.
- Enter your Interface Name. It should be the network interface that corresponds to your VPN connection.
- Enter your Server Name or IP Address. It should be the IP address of the Okta RADIUS Server.
- Enter a Timeout duration. If using Push, you should increase this from the default of 10 to at least 20 seconds.
- Enter the Server Authentication Port. This should be the port that the Okta RADIUS Port is listening on (default is 1812.)
- Leave the default Server Accounting Port.
- Leave the default Retry Interval.
- Set the Server Secret Key to the Okta RADIUS shared secret that you configured in the Okta RADIUS installation.
- Leave Common Password blank.
- Accept the ACL Netmask Convert default setting.
- Leave Microsoft CHAPv2 Capable unchecked.
- Test the connection.
- Map the AAA Server Group to the appropriate VPN Access Method.
- Go to Configuration > Remote Access VPN > AnyConnect Connection Profiles. Your VPN interface should already be set up.
- Check each of the settings in the screenshot below.
- Click Add in the Connection Profiles section.
- Configure the Connection Profile as follows:
- Enter a friendly name.
- Enter an alias if desired.
- Set method to AAA.
- Enter the AAA Server Group created above.
- Leave User LOCAL if Server Group fails Unchecked.
- If appropriate, configure a Group Policy and Client Address Assignment rule.
- Make sure Enable SSL VPN client protocol is Checked.
- Set up a Dynamic Access Policy to filter users who can connect to your VPN. Without this policy, anyone with Okta credentials may use your VPN.
- Go to Configuration> Remote Access VPN > Dynamic Access Policy.
- Click Add.
- Enter a name for your policy.
- Select Add.
- Use the attribute interface to filter end users. You can filter based on Group Policy, IP Address, Connection Profile, or Username.
There are two types of authorization: coarse-grained and fine-grained. Course-grained access control allows you to define which users can access the VPN device. It does not provide further control as to which VPN zones or resources the end user can then access. You can block users from logging in, but once they're in, they can access all of the resources in your environment. Fine-grained access control refers to controlling the scope of access for an authenticated user.
To control who gets access to the VPN device via RADIUS, use the Okta Sign-On Policy.
- In Okta, go to Security > Policies > Okta Sign-On Policy.
- Click Add New Okta Sign-on Policy.
- Name your new policy.
- Select your new policy.
- Click Edit.
- Add the groups you want to use your policy.
Note: You can learn more about Okta sign-on policies in the knowledge base article Configuring Sign On Policies.
You must configure fine-grained authorization control from the Cisco ASA VPN device. Cisco ASA supports LDAP as an Authorization Provider. You can use an LDAP connection to query an end user's group memberships and make access decisions based on that.
- Create a new Authorization Provider. In ADSM navigate to Configuration > AAA > Local Users > AAA Server Groups > Add...
- Enter a name.
- Select LDAP protocol.
- Add an LDAP server.
- Enter the information corresponding to your LDAP server. Make sure that the LDAP port is open between the Cisco ASA and the LDAP/AD server. Also, it's recommended that you use LDAP over SSL to improve security.
- Click OK. Now you can reference this AAA Server Group in a Dynamic Access Policy (DAP).
- Go to Configuration > Network (Client) Access > Dynamic Access Policies.
- Click Add to add a new policy.
Apply it to the tunnel-group.
ciscoasa(config)# tunnel-group remote-1 general-attributes ciscoasa(config-general)# authorization-server-group ldap_dir_1
Edit the AAA Attribute Type as follows:
- Choose LDAP as the AAA Attribtue Type.
- Choose the Attribute ID that you want to establish a condition for (use memberOf for groups.)
- Enter the value of the attribute.
- Optionally, click Get AD Groups to choose from a drop down list.
- Click OK.
Your end users' experience depends on how they access your VPN and the authentication method you choose. End users can access VPN through a browser or the Cisco AnyConnect client. Authentication choices include single and multi-factor methods.
End user experience: single factor authentication
- Navigate to your VPN URL.
- Enter the Okta username and password.
- Click Logon.
End user experience - multi-factor authentication
- Navigate to your VPN URL.
- Enter Okta username and password.
- Click Logon.
- Respond to the MFA Challenge.
Cisco AnyConnect and multi-factor authentication
You can use Okta with the Cisco AnyConnect Client. When your end user chooses multi-factor authentication, they must:
- Select a second authentication method from the menu.
- Click Continue.
- Perform the task associated with the chosen MFA method.
Learn more about MFA in the MFA End User FAQ.