Cisco ASA authenticating against Okta radius agent for MFA. Credentials being rejected. Skip to main content
https://support.okta.com/help/answers?id=906f0000000hzzfias&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Phil NgoPhil Ngo 

Cisco ASA authenticating against Okta radius agent for MFA. Credentials being rejected.

Hi.  I am trying to configure a Cisco ASA to authenticate against an Okta Radius agent server and my credentials are getting rejected.  I am following this document, https://support.okta.com/help/blogdetail?id=a67F0000000blQKIAY , and am failing at Step1.4.  The error message states that the credential failed.  Anyone have any insights on this?

Cisco ASA version 8.4(6)
AnyConnect version 3.1.05152
Okta agent version 2.2.0 on Windows 2008R2 server.

Thanks,
Phil
Eric KarlinskyEric Karlinsky (Okta, Inc.)

Hey Phil,

One thing to check is if MFA is enabled. MFA should be disabled for RADIUS when you're setting it up and testing. Most testing tools can not handle the challenege-response flow with MFA enabled.

Also make sure that the RADIUS ports are open. By default, the Okta RADIUS Agent uses UDP over port 1812, but that's configurable. That port must be open between the VPN device and the RADIUS Agent for authentication to succeed.

Eric

Phil NgoPhil Ngo
Hey Eric,

MFA is enabled for "Okta Verify" and there is a a security policy to prompt for Radius that is assigned to a test group.

I don't have any restrictions for communciations/connectivity between the ASA and Agent server.  However, when I do a nmap (port scan) against the Agent server I do not see port 1812 as being opened.  Does installing the Okta agent opened that port?  What is strange is when I do an authentication test against the Agent server I am getting a response back that the credential is being rejected.  On the Agent server logs, it does show that it is responding to the request from the Cisco ASA.  Is there anything else i should be checking?  Thanks again for your quick response.

--Phil
Phil NgoPhil Ngo
Hi Eric,

I got things working.  I overlooked your "most testing tools cannot handle challenge-response flow" statement and you have to use AnyConnect to test.

I have one last question on allowing groups instead of per user but I will start a new question for that.  Thanks for the help!

--Phil
Mukti BansalMukti Bansal
Hi,

I have the same issue in my setup. I have installed the Okta RADIUS agent and congifured our F5 APM to authenticate VPN requests via Okta. It is working fine with just username and password but as soon as I create a rule in Okta Sign-on policy to "Prompt for Factor" for RADIUS authentication type, the authentication for VPN fails. Is there something I am missing in the configuration?

--Mukti
Venkat RanganVenkat Rangan
I have the same issue - works fine with "Prompt for Factor" disabled, for Barracuda F380 VPN Firewall device. But if I enable MFA, the Barracuda Client puts up a One Time Prompt field, and the secod factor code causes the credential to fail. Okta Radius Agent has the entry:

2017-12-01 00:38:20 UTC [WIN-8E532IJLH75, pool-1-thread-13, radiusRequestId=... user=... requestType=primary] : INFO  - Challenge requested: Please select your second authentication method [num]:
1 - Okta Verify.
2 - Okta Verify Push.
3 - Google Authenticator.
Enter '0' to abort.

2017-12-01 00:38:20 UTC [WIN-8E532IJLH75, pool-1-thread-13, radiusRequestId=..., user=... requestType=primary] : INFO  - Completed processing. packetId=109, totalProcessingTime=408ms, queueTime=0ms, oktaTime=407ms, httpCode=200, result=OK, remoteAddress=...okta.com/52.14.242.0:443