Configure the Cisco ASA VPN to Interoperate with Okta via RADIUS

This guide details how to configure Cisco ASA VPN to use the Okta RADIUS Server Agent.

Okta and Cisco ASA interoperate through RADIUS. For each Cisco ASA appliance, you can configure AAA Server groups which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

The following best practice compares operating with SAML and RADIUS when both are available.

Some integrations interoperate with Okta through either RADIUS or SAML 2.0. The following screen shots compare the two end-user experiences.

SAML end-user experience

RADIUS end-user experience

There are several advantages to using SAML integrations when available.

  1. SAML provides a rich, intuitive and consistent login experience. RADIUS interacts with a text-based challenge with inconsistent formatting. Using SAML can reduce user training and support requirements and the consistent sign in experience with SAML makes users less susceptible to phishing attempts.

  2. SAML integrations provide more security as credentials are exposed to fewer parties.

  3. SAML integrations run with a simplified infrastructure. The do not require running on-premise agents and require little maintenance. The user agent (web browser, VPN client, etc.) is used to transmit messages in a secure manor; therefore, there is no need for the service provider (firewall or application server) to connect to Okta. Federation is established through a one-time exchange of SAML metadata. This one-time setup establishes trust for ongoing transactions.

  4. Okta SAML integrations are very robust and include adaptive MFA and provisioning.

For a seamless end user experience and enhanced security and simplified architecture consider using SAML if you have AnyConnect versions greater than 4.4 and ASA versions greater than 9.7.1

Use this integration guide to configure an the Okta RADIUS Server Agent for older software versions or in cases where SAML authentication does not meet your requirements.

Note: The SAML app for Cisco ASA is named Cisco ASA VPN (SAML). To use it, add the app, click Sign On in the top menu, and then, click View Setup Instructions for installation instructions tailored to your organization.

There are six parts to the configuration. In addition to the required steps, you can configure optional settings. A list of additional resources is also provided.

Configuring the Cisco ASA VPN to use the Okta RADIUS Agent requires pre-configuration of the RADIUS agent.

  1. Download the Okta RADIUS Agent from the Settings > Downloads page in Okta.
  2. Install the agent using the instructions in Installing and Configuring the Okta RADIUS Server Agent.
  3. For throughput, availability and other considerations, see Okta RADIUS Server Agent Deployment Best Practices.

After installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud tcp/443
http		 Configuration and authentication traffic
Cisco ASA Okta RADIUS Agent udp/1812 RADIUS (actual port number defined in next step) RADIUS traffic between the firewall (client) and the RADIUSs Agent (server)

In this step, add the Cisco ASA - RADIUS app from the OIN and apply settings specific to your deployment. In this section we will configure the following:

  • Authentication configuration

  • UDP Port

  • Secret Key

  • Application Username Format

Info

Note

The U2F Security and Windows Hello MFA factors are not compatible with RADIUS-enabled implementations.
For additional information about the Radius apps refer to Configuring RADIUS applications in Okta.

There are some optional advanced radius configuration options that are listed at the end of this document to help with Reporting the Client IP and Sending Groups information to the firewall.

  1. In Okta, navigate to Applications > Applications> Add Application, search for Cisco ASA, then click Add Application:

  2. Enter a unique name.

  3. Provide the following Sign On values:

    • Authentication: Retaining this default button allows Okta to perform primary authentication.

    • UDP Port: Required. Each RADIUS app has a unique number. Enter it here.

    • Secret Key: Required. Enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the Cisco ASA) app.

    • Application username format:This determines how the RADIUS client sends in the username. Select an option from the drop-down menu.

  4. After completing the setup, assign the app to the users/groups that require access.

For additional information, including guidance on advanced authentication and adaptive multifactor configuration options, see Using the Okta RADIUS App.

In Part 3 you define a RADIUS Server Profile, define an Authentication Profile for Okta RADIUS Agent, apply the Okta RADIUS Authentication Profile to a Gateway, and configure the portal to use the Okta RADIUS Authentication Profile.
Complete these using the Cisco ASA Admin Console.

Step 1 –Define an AAA Server Group

  1. Sign in to the Cisco ASDM console for the VPN appliance with sufficient privileges
  2. Navigate to Configuration > Remote Access VPN > AAA/Local users > AAA server groups, as shown below.

  3. Click Add to create a new group. The Add AAA Server Group screen opens, as shown below.

  4. Leave the default settings except for the following

    • AAA Server Group – specify a name to identify the group for the MFA server

    • Protocol – select RADIUS if necessary

Step 2 – Add AAA Server(s) to your AAA Server Group

  1. Click OK to return to the Cisco ASDM console, shown in step 2, above.

  2. Cick Remote Access VPN and navigate to AAA/Local Users > AAA Server Groups. Select the server group you just created.

  3. Click Add. The screen shown below opens.

  4. Leave the default settings except for the following
    • Interface Name – select the interface that will handle communication with the MFA Server
    • Server Name or IP Address – specify the name or the IP address of the Okta RADIUS Agent
    • Timeout (seconds) – 60 seconds
    • Server Authentication port – enter the port number you configured above in step 3 when setting up the app in Okta. Port 1812 was used as the example.
    • Server Accounting Port – 1646. This value is not used, but must be entered to complete the setup.
    • Retry Interval – leave default at 60 seconds
    • Server Secret Key – provided secret defined above in step 3 when setting up the app in Okta.
    • Common Password – leave blank
    • Uncheck Microsoft CHAPv2 Capable. (important)
  5. When done, click OK.

  6. Click APPLY to save the configuration.

In this step you will also confirm that no conflicting or contrary Authorization/Authentication/Accounting settings exist.

  1. In to the Cisco ASDM console for the VPN appliance, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles, as shown below.

  2. Highlight the desired connection profile in the Connection Profiles section and click Edit above the list of profile names. The screen shown below opens.

  3. In the Authentication section, set the Method to AAA.
  4. Choose the AAA Server Group you previously created or modified, and click Advanced in the left column. The screen shown below opens.

  5. Click Secondary Authentication on the left and confirm that the “Secondary Authentication Server Group” is undefined.

    Info

    Note

    The current configuration is also knows as "multi-step authentication."

    An alternative configuration exists that leverages the “Secondary Authentication Server Group” to perform MFA in a different flow. In this configuration “Secondary” authentication is handled by the main AAA Server Group servers using RADIUS Challenge and Response messages.

    In that configuration, the Primary AAA Server Group is configured to perform primary authentication (username/password) against one AAA Server Group which could be verified against an Okta RADIUS Server Agent that is only configured to perform Primary Authentication. The Secondary AAA Server Group is configured to perform secondary authentication against a second AAA Server Group which is usually an Okta RADIUS Server with an App that is explicitly configured not to perform Primary Authentication, and is only used to verify a registered factor (push, verify OTP, sms OTP, etc.).

    Reasons for using this alternative configuration can include:

    • Primary authentication server is providing additional accounting, authorization or connection details that Okta cannot
    • Compliance reasons that dictate a non-multistep MFA experience
  6. Click Authorization on the left and confirm that the Server Group value is set to None, as shown below.

    Info

    Note

    Configurations that leverage an additional and distinct Authorization Server Group can exist and are beyond the scope of this guide. Okta has experienced issues when this setting is pointing to a AAA Server Group populated with Okta RADIUS Server Agents. In those cases, a superfluous access request message is sent to the Okta RADIUS Server.

  7. Click Accounting on the left and confirm that the Accounting Server Group value is set to None, as shown below.
    Info

    Note

    There might be cases where a unique and meaningful Accounting Server Group is useful. AAA Server Groups with Okta RADIUS Server agents do not support RADIUS Accounting messages.

  8. Click OK to save the settings.
  1. In the Cisco ASA Admin Console, click the Configuration button, and then click the Remote Access VPN button.
  2. Navigate to Network (Client) Access > AnyConnect Client Profile, highlight the desired client profile, and click Edit, as shown below.

  3. In the screen that opens, select Preferences (Part 2), as shown below.

  4. Scroll down and locate Authentication Timeout (seconds), and set the value to 60.

  5. Click OK to save the settings.

  6. Click Commit to save the Okta RADIUS configuration within the Cisco ASA Admin Console.

There are two configuration tests to test one-step and two-step flows. The following network diagrams represent these flows.

Network Diagram – Multi-step Flow

Network Diagram – Single-step Flow

There are two parts to this test.

Part 1 – Test SSL-VPN with Cisco AnyConnect

  1. Open Cisco AnyConnect and click Connect, as shown below.

    Info

    Note

    The username must be in the format you specified when you added the app in Okta in Part 2, above.

  2. Enter your Username, Password, and optionally, a Group, and click OK, as shown below.

    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • If configured, you concatenate the Password with a one-time password (OTP) or a keyword; for example Password1,123456, Password1,push, or Password1,sms, as detailed below.
      • 123456 – code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. If you receive the Login Failed screen, check you username and password and try again.

  4. When the challenge screen appears, enter the corresponding number to the appropriate second factor and click Continue, as shown below. Follow the prompts to enter the second factor challenge.

    Info

    Note

    Users are challenged for a second factor to use based on the devices they have enrolled.

  5. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Part 2 –Test the clientless VPN with the AnyConnect web portal

  1. Navigate to the Cisco AnyConnect web portal URL, as shown below.

  2. Enter the same username, password, and group (optional), as in part 1, above.
  3. Enter the challenge factors when prompted.

  4. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

There are two parts to this test.

Part 1 – Test SSL-VPN with Cisco AnyConnect

  1. Open Cisco AnyConnect and click Connect, as shown below.

    Info

    Note

    The username must be in the format you specified when you added the app in Okta in Part 2, above.

  2. Enter your Username, Password,Second Password, and optionally, a Group, and click OK, as shown below.

    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • Enter the second password, as follows.
      • 123456 – Code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. If you receive the Login Failed screen, check you username and password and try again.

  4. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

Part 2 –Test the clientless VPN with the AnyConnect web portal

  1. Navigate to the Cisco AnyConnect web portal URL, as shown below.

  2. Enter your Username, Password,Second Password, and optionally, a Group, and click OK, as shown below.

    • The username must be in the format you specified when you added the app in Okta in Part 2, above.
    • Enter the second password, as follows.
      • 123456 – Code from Okta Verify, Google Authenticator, or Yubikey OTP
      • push – trigger push notice to enrolled phone
      • sms – trigger sms to enrolled phone
      • other – any other configuration
  3. If you receive the Login Failed screen, check you username and password and try again.

  4. After successfully completing the challenge, you are connected and see the screen shown below.

    If you enter an incorrect value or take to long to respond to the push notification, you see the screen shown below.

There are two optional settings you can configure, Client IP Reporting and Groups response.

Configure Client IP Reporting

To configure Okta to be able to parse, report on and eventually enforce policy based off of the source client IP Address you need to configure the Cisco ASA VPN (RADIUS) App in Okta as follows:

Enter the following settings in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console, as shown below.

  • Client IP: Check Report client IP.
  • RADIUS End User IP Attributes: 31 Calling-Station-Id

Configure Groups Response

The app is capable of receiving and parsing groups on the standard Attribute Value Pairs (AVP) of 11 (Filter-Id) and 25 (Class). Configure the Cisco ASA VPN (RADIUS) App in Okta as follows:

Enter the settings shown below in Advanced RADIUS Settings found on the Sign On tab for the RADIUS app in your Okta Admin Console.