<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UijSAFOkta Classic EngineMulti-Factor AuthenticationAnswered2024-04-17T09:17:07.000Z2016-02-19T20:45:47.000Z2017-02-13T22:29:18.000Z

0y2b6 (0y2b6) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Cisco ASA authenticating against Okta radius agent for MFA. Credentials being rejected.
Hi.  I am trying to configure a Cisco ASA to authenticate against an Okta Radius agent server and my credentials are getting rejected.  I am following this document, https://support.okta.com/help/blogdetail?id=a67F0000000blQKIAY , and am failing at Step1.4.  The error message states that the credential failed.  Anyone have any insights on this?

 

Cisco ASA version 8.4(6)

AnyConnect version 3.1.05152

Okta agent version 2.2.0 on Windows 2008R2 server.

 

Thanks,

Phil
  • 5 answers
  • 2.22K views
joel.flood likes this.

  • eric.karlinsky1.4147731941881877E12 (Okta, Inc.)

    Hey Phil,

     

    One thing to check is if MFA is enabled. MFA should be disabled for RADIUS when you're setting it up and testing. Most testing tools can not handle the challenege-response flow with MFA enabled.

     

    Also make sure that the RADIUS ports are open. By default, the Okta RADIUS Agent uses UDP over port 1812, but that's configurable. That port must be open between the VPN device and the RADIUS Agent for authentication to succeed.

     

    Eric

    Expand Post

  • 0y2b6 (0y2b6)

    Hey Eric,

     

    MFA is enabled for "Okta Verify" and there is a a security policy to prompt for Radius that is assigned to a test group.

     

    I don't have any restrictions for communciations/connectivity between the ASA and Agent server.  However, when I do a nmap (port scan) against the Agent server I do not see port 1812 as being opened.  Does installing the Okta agent opened that port?  What is strange is when I do an authentication test against the Agent server I am getting a response back that the credential is being rejected.  On the Agent server logs, it does show that it is responding to the request from the Cisco ASA.  Is there anything else i should be checking?  Thanks again for your quick response.

     

    --Phil
    Expand Post

  • 0y2b6 (0y2b6)

    Hi Eric,

     

    I got things working.  I overlooked your "most testing tools cannot handle challenge-response flow" statement and you have to use AnyConnect to test.

     

    I have one last question on allowing groups instead of per user but I will start a new question for that.  Thanks for the help!

     

    --Phil
    Expand Post

  • fhtqr (fhtqr)

    Hi,

     

    I have the same issue in my setup. I have installed the Okta RADIUS agent and congifured our F5 APM to authenticate VPN requests via Okta. It is working fine with just username and password but as soon as I create a rule in Okta Sign-on policy to "Prompt for Factor" for RADIUS authentication type, the authentication for VPN fails. Is there something I am missing in the configuration?

     

    --Mukti
    Expand Post

  • VenkatR.40223 (Customer)

    I have the same issue - works fine with "Prompt for Factor" disabled, for Barracuda F380 VPN Firewall device. But if I enable MFA, the Barracuda Client puts up a One Time Prompt field, and the secod factor code causes the credential to fail. Okta Radius Agent has the entry:

     

    2017-12-01 00:38:20 UTC [WIN-8E532IJLH75, pool-1-thread-13, radiusRequestId=... user=... requestType=primary] : INFO  - Challenge requested: Please select your second authentication method [num]:

    1 - Okta Verify.

    2 - Okta Verify Push.

    3 - Google Authenticator.

    Enter '0' to abort.

     

    2017-12-01 00:38:20 UTC [WIN-8E532IJLH75, pool-1-thread-13, radiusRequestId=..., user=... requestType=primary] : INFO  - Completed processing. packetId=109, totalProcessingTime=408ms, queueTime=0ms, oktaTime=407ms, httpCode=200, result=OK, remoteAddress=...okta.com/52.14.242.0:443
    Expand Post
This question is closed.
Loading
Cisco ASA authenticating against Okta radius agent for MFA. Credentials being rejected.