Knowledge base
Training

Configure the Cisco ASA VPN to Interoperate with Okta via RADIUS

This guide details how to configure Cisco ASA VPN to use the Okta RADIUS Server AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations..

Okta and Cisco ASA interoperate through RADIUS (Note: A SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. for Cisco ASA will be available in the future). For each Cisco ASA appliance, you can configure AAA Server groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. which can be RADIUS, TACAS+, LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services., etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

The following best practice compares operating with SAML and RADIUS when both are available.

ClosedBest Practice – When to interoperate with SAML vs. RADIUS

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

There are several advantages to using SAML integrations when available.

  1. SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.

  2. SAML integrations provide more security as credentials are exposed to fewer parties.

  3. SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. , etc.) is used to transmit messages in a secure manor; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.

  4. Okta SAML integrations are very robust and include adaptive MFA and provisioning.

For a seamless end user experience and enhanced security and simplified architecture consider using SAML if you have AnyConnect versions greater than 4.4 and ASA versions greater than 9.7.1

Use this integration guide to configure an the Okta RADIUS Server Agent for older software versions or in cases where SAML authentication does not meet your requirements.

Note: The SAML app for Cisco ASA is named Cisco ASA VPN (SAML). To use it, add the app, click Sign On in the top menu, and then, click View Setup Instructions for installation instructions tailored to your organization.

There are six parts to the configuration. In addition to the required steps, you can configure optional settings. A list of additional resources is also provided.

Closed Part 1 – Pre-configuration: Installing, and configuring the Okta RADIUS Agent.

Configuring the Cisco ASA VPN to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
Cisco ASA Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUSs Agent (server)
Closed Part 2 – Use the Okta Admin Console to Configure the Okta RADIUS Agent

In this step, add the Cisco ASA - RADIUS app from the OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs. and apply settings specific to your deployment. In this section we will configure the following:

Note: The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations. For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

  1. In Okta, navigate to Applications > Applications> Add Application, search for Cisco ASA, then click Add Application:

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Cisco ASA) app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

Closed Part 3 – Configure Cisco ASA VPN to use the Okta RADIUS App

In Part 3 you define a RADIUS Server Profile, define an Authentication Profile for Okta RADIUS Agent, apply the Okta RADIUS Authentication Profile to a Gateway, and configure the portal to use the Okta RADIUS Authentication Profile.
Complete these using the Cisco ASA AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console.

Step 1 –Define an AAA Server Group

  1. Sign in to the Cisco ASDM console for the VPN appliance with sufficient privileges
  2. Navigate to Configuration > Remote Access VPN > AAA/Local users > AAA server groups, as shown below.

  3. Click Add to create a new group. The Add AAA Server Group screen opens, as shown below.

  4. Leave the default settings except for the following

    • AAA Server Group – specify a name to identify the group for the MFA server

    • Protocol – select RADIUS if necessary

Step 2 – Add AAA Server(s) to your AAA Server Group

  1. Click OK to return to the Cisco ASDM console, shown in step 2, above.

  2. Cick Remote Access VPN and navigate to AAA/Local Users > AAA Server Groups. Select the server group you just created.

  3. Click Add. The screen shown below opens.

  4. Leave the default settings except for the following
    • Interface Name – select the interface that will handle communication with the MFA Server
    • Server Name or IP Address – specify the name or the IP address of the Okta RADIUS Agent
    • Timeout (seconds) – 60 seconds
    • Server Authentication port – enter the port number you configured above in step 3 when setting up the app in Okta. Port 1812 was used as the example.
    • Server Accounting Port – 1646. This value is not used, but must be entered to complete the setup.
    • Retry Interval – leave default at 60 seconds
    • Server Secret Key – provided secret defined above in step 3 when setting up the app in Okta.
    • Common Password – leave blank
    • Uncheck Microsoft CHAPv2 Capable. (important)
  5. When done, click OK.

  6. Click APPLY to save the configuration.

Closed Part 4 – Modify the AnyConnect Connection Profile to use the AAA Server Group

In this step you will also confirm that no conflicting or contrary Authorization/Authentication/Accounting settings exist.

  1. In to the Cisco ASDM console for the VPN appliance, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles, as shown below.

  2. Highlight the desired connection profile in the Connection Profiles section and click Edit above the list of profile names. The screen shown below opens.

  3. In the Authentication section, set the Method to AAA.
  4. Choose the AAA Server Group you previously created or modified, and click Advanced in the left column. The screen shown below opens.

  5. Click Secondary Authentication on the left and confirm that the “Secondary Authentication Server Group” is undefined.

    Info

    Note

    The current configuration is also knows as "multi-step authentication."

    An alternative configuration exists that leverages the “Secondary Authentication Server Group” to perform MFA in a different flow. In this configuration “Secondary” authentication is handled by the main AAA Server Group servers using RADIUS Challenge and Response messages.

    In that configuration, the Primary AAA Server Group is configured to perform primary authentication (username/password) against one AAA Server Group which could be verified against an Okta RADIUS Server Agent that is only configured to perform Primary Authentication. The Secondary AAA Server Group is configured to perform secondary authentication against a second AAA Server Group which is usually an Okta RADIUS Server with an App that is explicitly configured not to perform Primary Authentication, and is only used to verify a registered factor (push, verify OTP, sms OTP, etc.).

    Reasons for using this alternative configuration can include:

    • Primary authentication server is providing additional accounting, authorization or connection details that Okta cannot
    • Compliance reasons that dictate a non-multistep MFA experience
  6. Click Authorization on the left and confirm that the Server Group value is set to None, as shown below.

    Info

    Note

    Configurations that leverage an additional and distinct Authorization Server Group can exist and are beyond the scopeA scope is an indication by the client that it wants to access some resource. of this guide. Okta has experienced issues when this setting is pointing to a AAA Server Group populated with Okta RADIUS Server Agents. In those cases, a superfluous access request message is sent to the Okta RADIUS Server.

  7. Click Accounting on the left and confirm that the Accounting Server Group value is set to None, as shown below.
    Info

    Note

    There might be cases where a unique and meaningful Accounting Server Group is useful. AAA Server Groups with Okta RADIUS Server agents do not support RADIUS Accounting messages.

  8. Click OK to save the settings.
Closed Part 5 – Modify the AnyConnect Client Profile to extend the timeout
  1. In the Cisco ASA Admin Console, click the Configuration button, and then click the Remote Access VPN button.
  2. Navigate to Network (Client) Access > AnyConnect Client Profile, highlight the desired client profile, and click Edit, as shown below.

  3. In the screen that opens, select Preferences (Part 2), as shown below.

  4. Scroll down and locate Authentication Timeout (seconds), and set the value to 60.

  5. Click OK to save the settings.

  6. Click Commit to save the Okta RADIUS configuration within the Cisco ASA Admin Console.

Closed Part 6 – Test your Configuration

There are two configuration tests to test one-step and two-step flows. The following network diagrams represent these flows.

Network Diagram – Multi-step Flow

Network Diagram – Single-step Flow

ClosedTest 1 – Verify the Cisco ASA VPN Appliance is properly configured to work with Okta (two-step flow)

There are two parts to this test.

Part 1 – Test SSL-VPN with Cisco AnyConnect

  1. Open Cisco AnyConnect and click Connect, as shown below.

    Info

    Note

    The username must be in the format you specified when you added the app in Okta in Part 2, above.

  2. Enter your Username, Password, and optionally, a Group, and click OK, as shown below.

    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • If configured, you concatenate the Password with a one-time password (OTP) or a keyword; for example Password1,123456, Password1,push, or Password1,sms, as detailed below.
      • 123456 – code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. If you receive the Login Failed screen, check you username and password and try again.

  4. When the challenge screen appears, enter the corresponding number to the appropriate second factor and click Continue, as shown below. Follow the prompts to enter the second factor challenge.

    Info

    Note

    Users are challenged for a second factor to use based on the devices they have enrolled.

  5. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Part 2 –Test the clientless VPN with the AnyConnect web portal

  1. Navigate to the Cisco AnyConnect web portal URL, as shown below.

  2. Enter the same username, password, and group (optional), as in part 1, above.
  3. Enter the challenge factors when prompted.

  4. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

ClosedTest 2 –Verify the Cisco ASA VPN Appliance is properly configured to work with Okta (one-step flow)

There are two parts to this test.

Part 1 – Test SSL-VPN with Cisco AnyConnect

  1. Open Cisco AnyConnect and click Connect, as shown below.

    Info

    Note

    The username must be in the format you specified when you added the app in Okta in Part 2, above.

  2. Enter your Username, Password,Second Password, and optionally, a Group, and click OK, as shown below.

    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • Enter the second password, as follows.
      • 123456 – Code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. If you receive the Login Failed screen, check you username and password and try again.

  4. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Part 2 –Test the clientless VPN with the AnyConnect web portal

  1. Navigate to the Cisco AnyConnect web portal URL, as shown below.

  2. Enter your Username, Password,Second Password, and optionally, a Group, and click OK, as shown below.

    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • Enter the second password, as follows.
      • 123456 – Code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. If you receive the Login Failed screen, check you username and password and try again.

  4. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Closed Part 7 – Configure Optional Settings

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Cisco ASA VPN (RADIUS) App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 31 Calling-Station-Id

Configure Groups Response

The app is capable of receiving and parsing groups on the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Configure the Cisco ASA VPN (RADIUS) App in Okta as follows:

Enter the settings shown below in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console.

 

Closed Additional Resources
Top

© 2020 Okta, Inc All Rights Reserved. Various trademarks held by their respective owners.