Configure the Cisco ASA VPN to Interoperate with Okta via RADIUS

This guide details how to configure Cisco ASA VPN to use the Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..

Okta and Cisco ASA interoperate through RADIUS (Note: A SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. for Cisco ASA will be available in the future). For each Cisco ASA appliance, you can configure AAA Server groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. which can be RADIUS, TACAS+, LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

The following best practice compares operating with SAML and RADIUS when both are available.

For a seamless end user experience and enhanced security and simplified architecture consider using SAML if you have AnyConnect versions greater than 4.4 and ASA versions greater than 9.7.1

Use this integration guide to configure an the Okta RADIUS Server Agent for older software versions or in cases where SAML authentication does not meet your requirements.

Note: The SAML app for Cisco ASA is named Cisco ASA VPN (SAML). To use it, add the app, click Sign On in the top menu, and then, click View Setup Instructions for installation instructions tailored to your organization.

There are six parts to the configuration. In addition to the required steps, you can configure optional settings. A list of additional resources is also provided.