We are potentially looking at retiring AD and replacing it with UD in the near future - mastering all identities in the Okta Universal Directory and would like to future proof ourselves with any integrations that are being carried out now with this assumption in mind.
Currently there is a requirement to utilize Cisco ISE for network based device access management and we require a way to integrate Okta with ISE. We have explored the option for Okta to act as a RADIUS proxy for user authentication for ISE but that strategy in itself will take away the fine grain access control capability that ISE offers hence cannot be adopted. ISE generally integrates with user stores such as AD via the LDAP protocol, ODBC, SQL, etc. It is our understanding that Okta does not provide those type of interfaces, rather recommending that the Okta APIs be used.
The bottom line is that if we migrate from AD -> UD then we would like to pass the rich attribute data to ISE for fine grain device access control. We note that for the Okta/RADIUS use case, Okta provides an EA Generic Radius app. However, it appears to have some limitations. In this particular instance, we are also migrating to an almost entirely wifi based deployment for employee systems and as such, we believe the app would be unsuited to this deployment due to the fact that it does not support wifi infrastructure.
Has anyone come across this use case before or able to advise on a possible strategy?