Configure ASA IKEv2 Remote Access with EAP-TTLS to interoperate with Okta via RADIUS
Okta provides the ability for organizations to manage authorization and access to on-premises applications and resources using the RADIUS protocol and the Okta RADIUS agent. With the Okta RADIUS Server Agent organizations can delegate authentication to Okta.
This page describes how to configure Cisco ASA IKEV2 VPN to use EAP-TTLS and the Okta RADIUS Server Agent.
If you are using AnyConnect v4.4 and greater and ASA version 9.7.1 and greater consider using SAML.
For information and a comparison between SAML and RADIUS user experiences see About SAML vs RADIUS User Experience.
Before You Begin
Network Connectivity minimum requirements for Okta RADIUS Agent.
|Okta RADIUS Agent||Okta Identity Cloud||TCP/443
|Configuration and authentication traffic|
|Cisco ASA||Okta RADIUS Agent||UDP/1812 RADIUS (actual port number defined during Part 1 – Install and configure the Okta RADIUS Agent||RADIUS traffic between the firewall (client) and the RADIUS Agent (server)|
Use this integration guide to configure the Okta RADIUS Server Agent for older software versions or in cases where SAML authentication does not meet your requirements.
There are six parts to the configuration. In addition to the required steps, you can configure optional settings. A list of additional resources is also provided.
- Part 1 – Install and configure the Okta RADIUS Agent
- Part 2 – Configure the Okta RADIUS Agent
- Part 3 – Configure Cisco ASA VPN to use the Okta RADIUS App
- Part 4 – Modify the IPSec(IKEv2) Connection Profile to use the new Authentication Server group.
- Part 5 – Configure Windows VPN
- Part 6 – Add Certificate to Trusted Root CA
- Part 7 – Test your Configuration
- Part 8 – Configure Optional Settings
Configuring the Cisco ASA VPN to use the Okta RADIUS Agent requires installation and configuration of the RADIUS agent.
- Contact Okta support for the latest EA version of the Okta RADIUS Agent.
- Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
The service account used during installation must be granted at least one of the admin roles: Super admin or App admin.
- For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.
In this section you will use the Okta Admin Console to:
- Add the Cisco ASA - RADIUS app from the OIN
- Apply settings specific to your deployment.
Specifically you will configure:
- Authentication configuration
Application Username Format
The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.
There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.
- In Okta, navigate to Applications > Applications> Add Application.
- Search for Cisco ASA, and click Add Application.
- Enter a unique name.
Provide the following Sign On values:
- Authentication: Retaining this default button allows Okta to perform primary authentication.
UDP Port: Required. Each RADIUS app has a unique number. Enter it here.
Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Cisco ASA) app.
Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.
- Enable EAP-TTLS
- Click Sign on near the top of the screen.
- Scroll to the Authentication Protocol section and click Use EAP-TTLS authentication.
- Upload the server certificate chain and private key.
- Enter the password used to protect the certificate and key.
Note: Okta recommends password protecting certificates and keys.
- Select the TLS version.
- Click Save.
- After completing the setup, assign the app to the users/groups that require access.
For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.
In this section you will use the Cisco ASA Admin Console to:
- Define a RADIUS Server Profile
- Define an Authentication Profile for Okta RADIUS Agent
- Apply the Okta RADIUS Authentication Profile to a Gateway
- Configure the portal to use the Okta RADIUS Authentication Profile.
- Define an AAA Server Group
- Sign in to the Cisco ASDM console for the VPN appliance using an account with sufficient privileges.
- Navigate to Configuration > Remote Access VPN > AAA/Local users > AAA server groups, as shown below.
- Click Add to create a new group.
The Add AAA Server Group dialog displays.
Leave the default settings except for the following:
AAA Server Group – specify a name to identify the group for the MFA server
Protocol – select RADIUS if necessary
- Click OK.
- Add AAA Server(s) to your AAA Server Group
Select Remote Access VPN and navigate to AAA/Local Users > AAA Server Groups.
Select the server group just created.
The Edit 'ServerName' Server dialog displays.
- Specify the following, leaving all other fields unchanged:
- Interface Name – select the interface that will handle communication with the MFA Server
- Server Name or IP Address – specify the name or the IP address of the Okta RADIUS Agent
- Timeout (seconds) – 60 seconds
- Server Authentication port – enter the port number you configured above in step 3 when setting up the app in Okta. Port 1812 was used as the example.
- Server Accounting Port – 1646. This value is not used, but must be entered to complete the setup.
- Retry Interval – leave default at 60 seconds
- Server Secret Key – provided secret defined above in step 3 when setting up the app in Okta.
- Common Password – leave blank.
- Uncheck Microsoft CHAPv2 Capable. (important).
- Click OK.
Click APPLY to save the configuration.
- Open the Cisco ASDM console for the VPN appliance.
- Click Configuration.
- Select Remote Access VPN.
- In the Remote Access VPN section, select IPsec(IKEv2) Connection Profiles.
- Select the DefaultRAGroup group, and click Edit.
- In the IKE Peer Authentication Group section enable Enable Peer to Peer authentication using EAP and
Send an EAP Identity request to the client.
Click OK to save.
- On the Windows system open settings.
- From the settings home page, or using Find a setting select VPN.
- click Add a VPN connection.
In the add a VPN dialog enter:
- VPN provider – Windows (built-in).
- Connection name – An appropriate name.
- Server name or address – <Address of ASA FQDN.>
- VPN type – IKEv2
- Click Save.
- Navigate to Network Connections and select the new VPN, right click and choose Properties.
- Right click and choose Properties.
- Select the security tab.
- In the Authentication select enable User Extensible Authentication Protocol (EAP).
From the dropdown select Microsoft: EAP-TTLS (encryption enabled).
Then click Properties.
The TTLS Properties dialog will display.
- In the Client Authentication section of the TTLS Properties dialog enable
Select a non-EAP method for authentication and then choose Unencrypted (PAP).
- Click OK to complete the configuration.
This and similar integrations required either CA provided or self signed certificates.
Obtain client and server certificates from a known certificate authority such as DigiCert, Comodo SSL or other authorities.
Okta does not endorse any specific certificate authority.
EAP-TTLS, if you have our own CA signed certificate, we can add that certificate to trusted root CA to avoid man in the middle attacks.
To add a certificate to Trusted root CA in windows 10:
- Open the Microsoft Management Console, or MMC.
- From the file menu select File > Add/Remove Snap-in.
- In the Add/Remove Snap-in dialog, in the Available snap-ins section, select Certificates and click Add.
- In the Certificates snap-in dialog, select Computer account and click Next.
- In the Select Computer dialog, select Local computer and click Finish.
- Click OK.
- Navigate to Console Root > Certificates (Local Computer) > Personal.
- Right click Personal and select All Tasks > Import.
The Certificate Import wizard will start.
- Click Next.
- Enter the fully qualified path or use the Browse button to navigate to the directory containing the certificate.
- Select the certificate and click Next.
- Click Finish. The certificate will be imported.
- From Certificates (Local Computer)>Personal>Certificates select the newly added certificate and drag it to
to Certificates (Local Computer)>Trusted Root Certification Authority>Certificates
The new certificate has been successfully added as a trusted root certificate.
There is a single test to confirm this flow.
Network Diagram – Single-step Flow
Select the newly added VPN and click Connect.
- Enter your Username, Password,[,push,click OK.
- The username must be in the format you specified when you added the app in Okta in Part 2.
- After the password enter comma(,) and second MFA method such as:
- 123456 – Code from Okta Verify, Google Authenticator, or Yubikey OTP
- push – trigger push notice to enrolled phone
- sms – trigger sms to enrolled phone
- other – any other configuration
- If you receive the an error, check you username and password and try again.
After successfully completing the challenge, you are connected and see the screen resembling.
There are two optional settings you can configure, Client IP Reporting and Groups response.
Configure Client IP Reporting
To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Cisco ASA VPN (RADIUS) App in Okta as follows:
Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.
- Client IP: Check Report client IP.
- RADIUS End User IP Attributes: 31 Calling-Station-Id
Configure Groups Response
The app is capable of receiving and parsing groups on the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Configure the Cisco ASA VPN (RADIUS) App in Okta as follows:
Enter the settings shown below in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console.
- Okta Documentation - Configuring Sign On Policies
- Current Cisco ASA and ADSM Configuration Guides: https://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.htm