Configure ASA IKEv2 Remote Access with EAP-TTLS to interoperate with Okta via RADIUS

Okta provides the ability for organizations to manage authorization and access to on-premises applications and resources using the RADIUS protocol and the Okta RADIUS agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. With the Okta RADIUS Server Agent organizations can delegate authentication to Okta.

This page describes how to configure Cisco ASA IKEV2 VPN to use EAP-TTLS and the Okta RADIUS Server Agent.


For information and a comparison between SAML and RADIUS user experiences see About SAML vs RADIUS User Experience.

Before You Begin

Network Connectivity minimum requirements for Okta RADIUS Agent.

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443
Configuration and authentication traffic
Cisco ASA Okta RADIUS Agent UDP/1812 RADIUS (actual port number defined during Part 1 – Install and configure the Okta RADIUS Agent RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUS Agent (server)

Use this integration guide to configure the Okta RADIUS Server Agent for older software versions or in cases where SAML authentication does not meet your requirements.


There are six parts to the configuration. In addition to the required steps, you can configure optional settings. A list of additional resources is also provided.