Okta integration with Cisco ISE Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Akshat SondhiAkshat Sondhi 

Okta integration with Cisco ISE

We are potentially looking at retiring AD and replacing it with UD in the near future - mastering all identities in the Okta Universal Directory and would like to future proof ourselves with any integrations that are being carried out now with this assumption in mind.

Currently there is a requirement to utilize Cisco ISE for network based device access management and we require a way to integrate Okta with ISE. We have explored the option for Okta to act as a RADIUS proxy for user authentication for ISE but that strategy in itself will take away the fine grain access control capability that ISE offers hence cannot be adopted. ISE generally integrates with user stores such as AD via the LDAP protocol, ODBC, SQL, etc. It is our understanding that Okta does not provide those type of interfaces, rather recommending that the Okta APIs be used.
The bottom line is that if we migrate from AD -> UD then we would like to pass the rich attribute data to ISE for fine grain device access control. We note that for the Okta/RADIUS use case, Okta provides an EA Generic Radius app. However, it appears to have some limitations. In this particular instance, we are also migrating to an almost entirely wifi based deployment for employee systems and as such, we believe the app would be unsuited to this deployment due to the fact that it does not support wifi infrastructure.
Has anyone come across this use case before or able to advise on a possible strategy?

Alana CottenAlana Cotten (Okta, Inc.)
I see that you want to migrate from AD, integrating to UD with Okta Radius with Cisco ISE. As searching through this issue, we have not yet deployed Okta Radius with Cisco ISE nor has this been tested or is currently supported at the moment. You will have to consult with the developer with this. But research more on Universal Directory, here is a link that may provide insight. (https://help.okta.com/en/prod/Content/Topics/Directory/About_Universal_Directory.htm)
Matt EganMatt Egan (Okta, Inc.)
Hi Akshat,

I'm interested to understand more here.

My general understanding is that a WIFI deployment of this nature would still require ISE as it provides additional capabilites of granular policiy enforcement.

WIFI with ISE and Okta Radius

The latest versions of the Okta Radius Agent support the ability to return group memberships that can be used by ISE to enforce/apply granular user based policies.

Is this what you had in mind, did you end up implimenting this?