Installed RADIUS agent to use with our Cisco ASA. Need MFA. Skip to main content
https://support.okta.com/help/answers?id=906f0000000hznsiac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Angela CragheadAngela Craghead 

Installed RADIUS agent to use with our Cisco ASA. Need MFA.

I installed the RADIUS agent to use with our Cisco ASA. I need to add an MFA requirement but can not figure out how to do this. I even went as far as having Devices turned on in our Preview area to configure the VPN there instead, but again, I can't find any way to turn on the MFA requirement. Has anyone else done this?

Thank you!
Eric KarlinskyEric Karlinsky (Okta, Inc.)

Hey Angela,

This is a little bit non-intuitive right now. In order to prompt for MFA with the RADIUS Agent, MFA has to be enabled for the Okta Sign-On Policy, and for RADIUS connections. See the attached screens for set up.

User-added imageUser-added image

Thanks, Eric
 

Angela CragheadAngela Craghead
Thanks Eric! This is with the Cisco AnyConnect/ASA.
Angela CragheadAngela Craghead
Eric - Do we have any timing for when this will be released this quarter?
Eric KarlinskyEric Karlinsky (Okta, Inc.)
Angela,

The Cisco AnyConnect client fully support Okta MFA. I removed the previous post that stated otherwise. The end user will be presented with a challenge from the AnyConnect client for second factor authentication, like this:

User-added image

Thanks,
Eric
 
Angela CragheadAngela Craghead
Hi Eric,

Is the rule configuration you mentioned above still required to set up?

Thanks!
Angela
Eric KarlinskyEric Karlinsky
Hey Angela,

Yes, you still need the Okta Sign-On Policy configured for RADIUS.

Eric
Michael AllenMichael Allen
Eric,

I have this same use case, but we are using the Cisco VPN Client Version 5.0.07.0290. Do you know if this version of the client supports Okta MFA as well?
Tori AmundsonTori Amundson
Angela,

What do you do if the Cisco Anyconnect prompt for MFA does not contain the descriptive text as shown in your example?  MFA works but without the text users do not know how to pick which method.

Sample pop-up from anyconnect without text

I've followed as much advice as I can from within the Okta help site here and I can't figure out how to get the anyconnect client to show the multiple-choice question for which factor to choose.   I can see it in the logs on the Windows server running the Okta radius client, and I can manually answer (press '2' for google authenticator, then on next pop-up, put in the auth code, and it works).  
Mukti BansalMukti Bansal
Hi Eric,

How does MFA for RADIUS work when we are using F5 APM and not Cisco ASA? Please could you assist with this.

--Mukti