Configure ASA IKEv2 Remote Access with EAP-TTLS to interoperate with Okta via RADIUS

Configuring the Cisco ASA VPN to use the Okta RADIUS Agent requires installation and configuration of the RADIUS agent.

1. Contact Okta support for the latest EA version of the Okta RADIUS Agent.
2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
   

   Note

   The service account used during installation must be granted at least one of the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. roles: Super adminThe super admin receives full access to every item in the Administrative Console and is the only role that can assign administrator roles to other user accounts. Accounts with other administrator role assignments have reduced functionalities to different permission sets. Contact Okta support to create an Okta Mastered account with Super Admin rights. or App adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control..

3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

In this section you will use the Okta Admin Console to:

• Add the Cisco ASA - RADIUS app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.
• Apply settings specific to your deployment.
  

Specifically you will configure:

• Authentication configuration

• UDP Port

• Secret KeyAn Okta-generated string of characters that allows end users to set up (enroll) their mobile device in to Okta Verify. End users enter the Secret Key in the Okta Verify app during the set up process as an alternative to scanning a QR code.

• Application Username Format

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.

1. In Okta, navigate to Applications > Applications> Add Application.
2. Search for Cisco ASA, and click Add Application.



3. Enter a unique name.

4. Provide the following Sign On values:

   • Authentication: Retaining this default button allows Okta to perform primary authentication.

   • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

   • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Cisco ASA) app.

   • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

5. Enable EAP-TTLS
   1. Click Sign on near the top of the screen.
   2. Scroll to the Authentication Protocol section and click Use EAP-TTLS authentication.
   3. Upload the server certificate chain and private key.
   4. Enter the password used to protect the certificate and key.
      Note: Okta recommends password protecting certificates and keys.
   5. Select the TLS version.
   6. Click Save.
      
6. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

In this section you will use the Cisco ASA Admin Console to:

• Define a RADIUS Server Profile
• Define an Authentication Profile for Okta RADIUS Agent
• Apply the Okta RADIUS Authentication Profile to a Gateway

and

• Configure the portal to use the Okta RADIUS Authentication Profile.
  

1. Define an AAA Server Group
   1. Sign in to the Cisco ASDM console for the VPN appliance using an account with sufficient privileges.
   2. Navigate to Configuration > Remote Access VPN > AAA/Local users > AAA server groups, as shown below.

      

   3. Click Add to create a new group.
      The Add AAA Server Group dialog displays.

      

   4. Leave the default settings except for the following:

      • AAA Server Group – specify a name to identify the group for the MFA server

      • Protocol – select RADIUS if necessary

   5. Click OK.
2. Add AAA Server(s) to your AAA Server Group

   1. Select Remote Access VPN and navigate to AAA/Local Users > AAA Server Groups.
      Select the server group just created.

   2. Click Add.
      The Edit 'ServerName' Server dialog displays.

      

   3. Specify the following, leaving all other fields unchanged:
      • Interface Name – select the interface that will handle communication with the MFA Server
      • Server Name or IP Address – specify the name or the IP address of the Okta RADIUS Agent
      • Timeout (seconds) – 60 seconds
      • Server Authentication port – enter the port number you configured above in step 3 when setting up the app in Okta. Port 1812 was used as the example.
      • Server Accounting Port – 1646. This value is not used, but must be entered to complete the setup.
      • Retry Interval – leave default at 60 seconds
      • Server Secret Key – provided secret defined above in step 3 when setting up the app in Okta.
      • Common Password – leave blank.
      • Uncheck Microsoft CHAPv2 Capable. (important).
   4. Click OK.

   5. Click APPLY to save the configuration.

1. Open the Cisco ASDM console for the VPN appliance.
2. Click Configuration.
   
3. Select Remote Access VPN.
   
4. In the Remote Access VPN section, select IPsec(IKEv2) Connection Profiles.
   
5. Select the DefaultRAGroup group, and click Edit.
   
6. In the IKE Peer Authentication Group section enable Enable Peer to Peer authentication using EAP and Send an EAP Identity request to the client.
   

7. Click OK to save.

1. On the Windows system open settings.
2. From the settings home page, or using Find a setting select VPN.
3. click Add a VPN connection.
   

4. In the add a VPN dialog enter:

   • VPN provider – Windows (built-in).
   • Connection name – An appropriate name.
   • Server name or address – <Address of ASA FQDNA fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet..>
   • VPN type – IKEv2
   
5. Click Save.
6. Navigate to Network Connections and select the new VPN, right click and choose Properties.

7. Right click and choose Properties.
8. Select the security tab.
9. In the Authentication select enable User Extensible Authentication Protocol (EAP).
   From the dropdown select Microsoft: EAP-TTLS (encryption enabled).
   Then click Properties.
   The TTLS Properties dialog will display.
   
10. In the Client Authentication section of the TTLS Properties dialog enable
    Select a non-EAP method for authentication and then choose Unencrypted (PAP).
    
11. Click OK to complete the configuration.

EAP-TTLS, if you have our own CA signed certificate, we can add that certificate to trusted root CA to avoid man in the middle attacks.

To add a certificate to Trusted root CA in windows 10:

1. Open the Microsoft Management Console, or MMC.
   
2. From the file menu select File > Add/Remove Snap-in.
3. In the Add/Remove Snap-in dialog, in the Available snap-ins section, select Certificates and click Add.
   
4. In the Certificates snap-in dialog, select Computer account and click Next.
5. In the Select Computer dialog, select Local computer and click Finish.
6. Click OK.
7. Navigate to Console Root > Certificates (Local Computer) > Personal.
8. Right click Personal and select All Tasks > Import.
   The Certificate Import wizard will start.
   
9. Click Next.
10. Enter the fully qualified path or use the Browse button to navigate to the directory containing the certificate.
11. Select the certificate and click Next.
12. Click Finish. The certificate will be imported.
13. From Certificates (Local Computer)>Personal>Certificates select the newly added certificate and drag it to
    to Certificates (Local Computer)>Trusted Root Certification Authority>Certificates

The new certificate has been successfully added as a trusted root certificate.

There is a single test to confirm this flow.

Network Diagram – Single-step Flow

Verify the VPN is properly configured to work with Okta

1. Select the newly added VPN and click Connect.

   

2. Enter your Username, Password,[,push,click OK.

   

   • The username must be in the format you specified when you added the app in Okta in Part 2.
   • After the password enter comma(,) and second MFA method such as:
   • 123456 – Code from Okta Verify, Google Authenticator, or Yubikey OTP
   • push – trigger push notice to enrolled phone
   • sms – trigger sms to enrolled phone
   • other – any other configuration
3. If you receive the an error, check you username and password and try again.

4. After successfully completing the challenge, you are connected and see the screen resembling.

   

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Cisco ASA VPN (RADIUS) App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.

• Client IP: Check Report client IP.
• RADIUS End User IP Attributes: 31 Calling-Station-Id

Configure Groups Response

The app is capable of receiving and parsing groups on the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Configure the Cisco ASA VPN (RADIUS) App in Okta as follows:

Enter the settings shown below in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console.

• Okta Documentation - Configuring Sign On Policies
• Current Cisco ASA and ADSM Configuration Guides: https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.htm