<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VDwSANOkta Classic EngineIntegrationsAnswered2024-04-30T09:18:25.000Z2017-04-26T07:25:45.000Z2017-04-27T14:17:21.000Z

AkshatS.01837 (Customer) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Okta integration with Cisco ISE

We are potentially looking at retiring AD and replacing it with UD in the near future - mastering all identities in the Okta Universal Directory and would like to future proof ourselves with any integrations that are being carried out now with this assumption in mind.

 

Currently there is a requirement to utilize Cisco ISE for network based device access management and we require a way to integrate Okta with ISE. We have explored the option for Okta to act as a RADIUS proxy for user authentication for ISE but that strategy in itself will take away the fine grain access control capability that ISE offers hence cannot be adopted. ISE generally integrates with user stores such as AD via the LDAP protocol, ODBC, SQL, etc. It is our understanding that Okta does not provide those type of interfaces, rather recommending that the Okta APIs be used.

 

The bottom line is that if we migrate from AD -> UD then we would like to pass the rich attribute data to ISE for fine grain device access control. We note that for the Okta/RADIUS use case, Okta provides an EA Generic Radius app. However, it appears to have some limitations. In this particular instance, we are also migrating to an almost entirely wifi based deployment for employee systems and as such, we believe the app would be unsuited to this deployment due to the fact that it does not support wifi infrastructure.

 

Has anyone come across this use case before or able to advise on a possible strategy?

  • 2 answers
  • 10.48K views
API - Security Log ReaderS.90161 likes this.

  • j5v7c (j5v7c)

    Hello,

    I see that you want to migrate from AD, integrating to UD with Okta Radius with Cisco ISE. As searching through this issue, we have not yet deployed Okta Radius with Cisco ISE nor has this been tested or is currently supported at the moment. You will have to consult with the developer with this. But research more on Universal Directory, here is a link that may provide insight. (https://help.okta.com/en/prod/Content/Topics/Directory/About_Universal_Directory.htm)

    Expand Post

  • matt.egan1.503706873770126E12 (Okta, Inc.)

    Hi Akshat,

     

    I'm interested to understand more here.

     

    My general understanding is that a WIFI deployment of this nature would still require ISE as it provides additional capabilites of granular policiy enforcement.

     

    0EM2A000000Dv5Z

     

    The latest versions of the Okta Radius Agent support the ability to return group memberships that can be used by ISE to enforce/apply granular user based policies.

     

    Is this what you had in mind, did you end up implimenting this?

     

    Thanks,

    -Matt
    Expand Post
This question is closed.
Loading
Okta integration with Cisco ISE