Configure ASA IKEv2 Remote Access with EAP-TTLS to interoperate with Okta via RADIUS
Okta provides the ability for organizations to manage authorization and access to on-premises applications and resources using the RADIUS protocol and the Okta RADIUS agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.. With the Okta RADIUS Server Agent organizations can delegate authentication to Okta.
This page describes how to configure Cisco ASA IKEV2 VPN to use EAP-TTLS and the Okta RADIUS Server Agent.
If you are using AnyConnect v4.4 and greater and ASA version 9.7.1 and greater consider using SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated..
For information and a comparison between SAML and RADIUS user experiences see About SAML vs RADIUS User Experience.
Before You Begin
Network Connectivity minimum requirements for Okta RADIUS Agent.
|Okta RADIUS Agent||Okta Identity Cloud||TCP/443
|Configuration and authentication traffic|
|Cisco ASA||Okta RADIUS Agent||UDP/1812 RADIUS (actual port number defined during Part 1 – Install and configure the Okta RADIUS Agent||RADIUS traffic between the firewall (clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. ) and the RADIUS Agent (server)|
Use this integration guide to configure the Okta RADIUS Server Agent for older software versions or in cases where SAML authentication does not meet your requirements.
There are six parts to the configuration. In addition to the required steps, you can configure optional settings. A list of additional resources is also provided.
- Part 1 – Install and configure the Okta RADIUS Agent
- Part 2 – Configure the Okta RADIUS Agent
- Part 3 – Configure Cisco ASA VPN to use the Okta RADIUS App
- Part 4 – Modify the IPSec(IKEv2) Connection Profile to use the new Authentication Server group.
- Part 5 – Configure Windows VPN
- Part 6 – Add Certificate to Trusted Root CA
- Part 7 – Test your Configuration
- Part 8 – Configure Optional Settings
Configuring the Cisco ASA VPN to use the Okta RADIUS Agent requires installation and configuration of the RADIUS agent.
- Contact Okta support for the latest EA version of the Okta RADIUS Agent.
- Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
The service account used during installation must be granted at least one of the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. roles: Super adminThe super admin receives full access to every item in the Administrative Console and is the only role that can assign administrator roles to other user accounts. Accounts with other administrator role assignments have reduced functionalities to different permission sets. Contact Okta support to create an Okta Mastered account with Super Admin rights. or App adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control..
- For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
In this section you will use the Okta Admin Console to:
- Add the Cisco ASA - RADIUS app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.
- Apply settings specific to your deployment.
Specifically you will configure:
- Authentication configuration
Secret KeyAn Okta-generated string of characters that allows end users to set up (enroll) their mobile device in to Okta Verify. End users enter the Secret Key in the Okta Verify app during the set up process as an alternative to scanning a QR code.
Application Username Format
The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.
There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. information to the firewall.
- In Okta, navigate to Applications > Applications> Add Application.
- Search for Cisco ASA, and click Add Application.
- Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Cisco ASA) app.
Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
- Enable EAP-TTLS
- Click Sign on near the top of the screen.
- Scroll to the Authentication Protocol section and click Use EAP-TTLS authentication.
- Upload the server certificate chain and private key.
- Enter the password used to protect the certificate and key.
Note: Okta recommends password protecting certificates and keys.
- Select the TLS version.
- Click Save.
- After completing the setup, assign the app to the users/groups that require access.
For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.
In this section you will use the Cisco ASA Admin Console to:
- Define a RADIUS Server Profile
- Define an Authentication Profile for Okta RADIUS Agent
- Apply the Okta RADIUS Authentication Profile to a Gateway
- Configure the portal to use the Okta RADIUS Authentication Profile.
- Define an AAA Server Group
- Sign in to the Cisco ASDM console for the VPN appliance using an account with sufficient privileges.
- Navigate to Configuration > Remote Access VPN > AAA/Local users > AAA server groups, as shown below.
- Click Add to create a new group.
The Add AAA Server Group dialog displays.
Leave the default settings except for the following:
AAA Server Group – specify a name to identify the group for the MFA server
Protocol – select RADIUS if necessary
- Click OK.
- Add AAA Server(s) to your AAA Server Group
Select Remote Access VPN and navigate to AAA/Local Users > AAA Server Groups.
Select the server group just created.
The Edit 'ServerName' Server dialog displays.
- Specify the following, leaving all other fields unchanged:
- Interface Name – select the interface that will handle communication with the MFA Server
- Server Name or IP Address – specify the name or the IP address of the Okta RADIUS Agent
- Timeout (seconds) – 60 seconds
- Server Authentication port – enter the port number you configured above in step 3 when setting up the app in Okta. Port 1812 was used as the example.
- Server Accounting Port – 1646. This value is not used, but must be entered to complete the setup.
- Retry Interval – leave default at 60 seconds
- Server Secret Key – provided secret defined above in step 3 when setting up the app in Okta.
- Common Password – leave blank.
- Uncheck Microsoft CHAPv2 Capable. (important).
- Click OK.
Click APPLY to save the configuration.
- Open the Cisco ASDM console for the VPN appliance.
- Click Configuration.
- Select Remote Access VPN.
- In the Remote Access VPN section, select IPsec(IKEv2) Connection Profiles.
- Select the DefaultRAGroup group, and click Edit.
- In the IKE Peer Authentication Group section enable Enable Peer to Peer authentication using EAP and
Send an EAP Identity request to the client.
Click OK to save.
- On the Windows system open settings.
- From the settings home page, or using Find a setting select VPN.
- click Add a VPN connection.
In the add a VPN dialog enter:
- VPN provider – Windows (built-in).
- Connection name – An appropriate name.
- Server name or address – <Address of ASA FQDNA fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the internet..>
- VPN type – IKEv2
- Click Save.
- Navigate to Network Connections and select the new VPN, right click and choose Properties.
- Right click and choose Properties.
- Select the security tab.
- In the Authentication select enable User Extensible Authentication Protocol (EAP).
From the dropdown select Microsoft: EAP-TTLS (encryption enabled).
Then click Properties.
The TTLS Properties dialog will display.
- In the Client Authentication section of the TTLS Properties dialog enable
Select a non-EAP method for authentication and then choose Unencrypted (PAP).
- Click OK to complete the configuration.
EAP-TTLS, if you have our own CA signed certificate, we can add that certificate to trusted root CA to avoid man in the middle attacks.
To add a certificate to Trusted root CA in windows 10:
- Open the Microsoft Management Console, or MMC.
- From the file menu select File > Add/Remove Snap-in.
- In the Add/Remove Snap-in dialog, in the Available snap-ins section, select Certificates and click Add.
- In the Certificates snap-in dialog, select Computer account and click Next.
- In the Select Computer dialog, select Local computer and click Finish.
- Click OK.
- Navigate to Console Root > Certificates (Local Computer) > Personal.
- Right click Personal and select All Tasks > Import.
The Certificate Import wizard will start.
- Click Next.
- Enter the fully qualified path or use the Browse button to navigate to the directory containing the certificate.
- Select the certificate and click Next.
- Click Finish. The certificate will be imported.
- From Certificates (Local Computer)>Personal>Certificates select the newly added certificate and drag it to
to Certificates (Local Computer)>Trusted Root Certification Authority>Certificates
The new certificate has been successfully added as a trusted root certificate.
There is a single test to confirm this flow.
Network Diagram – Single-step Flow
Select the newly added VPN and click Connect.
- Enter your Username, Password,[,push,click OK.
- The username must be in the format you specified when you added the app in Okta in Part 2.
- After the password enter comma(,) and second MFA method such as:
- 123456 – Code from Okta Verify, Google Authenticator, or Yubikey OTP
- push – trigger push notice to enrolled phone
- sms – trigger sms to enrolled phone
- other – any other configuration
- If you receive the an error, check you username and password and try again.
After successfully completing the challenge, you are connected and see the screen resembling.
There are two optional settings you can configure, Client IP Reporting and Groups response.
Configure Client IP Reporting
To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Cisco ASA VPN (RADIUS) App in Okta as follows:
Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.
- Client IP: Check Report client IP.
- RADIUS End User IP Attributes: 31 Calling-Station-Id
Configure Groups Response
The app is capable of receiving and parsing groups on the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Configure the Cisco ASA VPN (RADIUS) App in Okta as follows:
Enter the settings shown below in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console.
- Okta Documentation - Configuring Sign On Policies
- Current Cisco ASA and ADSM Configuration Guides: https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.htm