<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00009Y1UmvSAFOkta Classic EngineIntegrationsAnswered2024-04-16T10:08:59.000Z2020-09-29T21:44:04.000Z2020-10-08T14:40:19.000Z

0bzsa (0bzsa) asked a question.

September 29, 2020 at 9:44 PM
OKTA AAA Radius Cisco Switching Devices

So I got this somewhat to work. I can authenticate using the OKTA Radius and use MFA to successfully log into the device. However there is no way to pass the authorization piece needed because OKTA Radius APP only ALLOWs OKTA groups to come back in a response. To get this to work I locally assigned my username with a privilege level. This option would be annoying as you would have to put each individual locally on the switch to be able to configure the switch. The other option you have is to to no authorization NONE. Really if you are using the switch to just sign in and do MFA that would work. I find it silly that OKTA isnt looking into making the attribute cisco-av-pair = shell:priv-lvl=* not an optional response for the group as this could be a big marketing ploy for them. I got this work without OKTA support as they were not much help in this matter. Has anyone else been able to get this to work on a cisco switch/router. I am trying to figure out how to reference the group name coming back into giving that authorization with aaa.

  • 2 answers
  • 3.41K views

  • User15871004093001868702 (Vendor Management)

    Also, yes as per article https://help.okta.com/en/prod/Content/Topics/Security/Okta_Radius_App.htm when include groups in Radius response but it should be configured its action for these specific group in their appliance or application

     

    1. Check Include groups in RADIUS response.
    2. In the RADIUS attribute dropdown list, choose the attribute that you want Okta to pass this group information through to your specific app or infrastructure. Currently, the available choices are 11 Filter-ID and r25 Class. These values are the most widely accepted attributes to pass group information through to most vendors. If you are unsure which to choose, consult your vendor’s technical reference documentation or contact their technical team.
    3. Specify the Okta groups that you want to include in the RADIUS response if a user belongs to them.

     

    Note: This means that if a user belongs to four groups, but you only list two of the four in this field, Okta will only pass the two groups to your RADIUS-enabled app. Likewise, if your user doesn’t belong to either of the two groups you listed in this field then Okta will not return any group for that specific user.

    4.Configure the Response Format and Group Name Format you would like to use to pass this information along to your RADIUS application or infrastructure. Like the RADIUS attribute, this can vary depending on your setup and the specific vendor’s hardware. For help in configuring this setting, contact the vendor’s technical support team.

     

    Expand Post
This question is closed.
Loading
OKTA AAA Radius Cisco Switching Devices