Configure ASA IKEv2 Remote Access with EAP-TTLS to interoperate with Okta via RADIUS

Okta provides the ability for organizations to manage authorization and access to on-premises applications and resources using the RADIUS protocol and the Okta RADIUS agent. With the Okta RADIUS Server Agent organizations can delegate authentication to Okta.

This page describes how to configure Cisco ASA IKEV2 VPN to use EAP-TTLS and the Okta RADIUS Server Agent.




If you are using AnyConnect v4.4 and greater and ASA version 9.7.1 and greater consider using SAML.

For information and a comparison between SAML and RADIUS user experiences see About SAML vs RADIUS User Experience.

Before You Begin

Network Connectivity minimum requirements for Okta RADIUS Agent.

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443
Configuration and authentication traffic
Cisco ASA Okta RADIUS Agent UDP/1812 RADIUS (actual port number defined during Part 1 – Install and configure the Okta RADIUS Agent RADIUS traffic between the firewall (client) and the RADIUS Agent (server)

Use this integration guide to configure the Okta RADIUS Server Agent for older software versions or in cases where SAML authentication does not meet your requirements.


There are six parts to the configuration. In addition to the required steps, you can configure optional settings. A list of additional resources is also provided.





This and similar integrations required either CA provided or self signed certificates.
Obtain client and server certificates from a known certificate authority such as DigiCert, Comodo SSL or other authorities.
Okta does not endorse any specific certificate authority.