<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7VPoSANOkta Classic EngineMulti-Factor AuthenticationAnswered2024-04-17T13:20:43.000Z2015-12-16T19:32:29.000Z2018-04-05T17:40:28.000Z

qsldk (qsldk) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:20 AM
Installed RADIUS agent to use with our Cisco ASA. Need MFA.
I installed the RADIUS agent to use with our Cisco ASA. I need to add an MFA requirement but can not figure out how to do this. I even went as far as having Devices turned on in our Preview area to configure the VPN there instead, but again, I can't find any way to turn on the MFA requirement. Has anyone else done this?

 

Thank you!
  • 9 answers
  • 1.11K views

  • eric.karlinsky1.4147731941881877E12 (Okta, Inc.)

    Hey Angela,

     

    This is a little bit non-intuitive right now. In order to prompt for MFA with the RADIUS Agent, MFA has to be enabled for the Okta Sign-On Policy, and for RADIUS connections. See the attached screens for set up.

     

    0EMF00000009Q5f0EMF00000009Q5V

     

    Thanks, Eric

     

    Expand Post

  • qsldk (qsldk)

    Thanks Eric! This is with the Cisco AnyConnect/ASA.

  • qsldk (qsldk)

    Eric - Do we have any timing for when this will be released this quarter?

  • eric.karlinsky1.4147731941881877E12 (Okta, Inc.)

    Angela,

     

    The Cisco AnyConnect client fully support Okta MFA. I removed the previous post that stated otherwise. The end user will be presented with a challenge from the AnyConnect client for second factor authentication, like this:

     

    0EMF00000009RJY

     

    Thanks,

    Eric

    Expand Post

  • qsldk (qsldk)

    Hi Eric,

     

    Is the rule configuration you mentioned above still required to set up?

     

    Thanks!

    Angela
    Expand Post

  • v2x8p (v2x8p)

    Hey Angela,

     

    Yes, you still need the Okta Sign-On Policy configured for RADIUS.

     

    Eric

  • 47qxv (47qxv)

    Eric,

     

    I have this same use case, but we are using the Cisco VPN Client Version 5.0.07.0290. Do you know if this version of the client supports Okta MFA as well?

  • ymmmx (ymmmx)

    Angela,

     

    What do you do if the Cisco Anyconnect prompt for MFA does not contain the descriptive text as shown in your example?  MFA works but without the text users do not know how to pick which method.

     

    0EMF00000009YLq

     

    I've followed as much advice as I can from within the Okta help site here and I can't figure out how to get the anyconnect client to show the multiple-choice question for which factor to choose.   I can see it in the logs on the Windows server running the Okta radius client, and I can manually answer (press '2' for google authenticator, then on next pop-up, put in the auth code, and it works).
    Expand Post

  • fhtqr (fhtqr)

    Hi Eric,

     

    How does MFA for RADIUS work when we are using F5 APM and not Cisco ASA? Please could you assist with this.

     

    --Mukti

     

    Expand Post
This question is closed.
Loading
Installed RADIUS agent to use with our Cisco ASA. Need MFA.