Configure Cisco Meraki to interoperate with Okta via RADIUS
This guide details how to configure Cisco Meraki wireless access points to use the Okta RADIUS Server Agent and EAP-TTLS.
For details of the flow between Okta, the RADIUS agent and Cisco Meraki see Cisco Meraki RADIUS integration flow.
Contact Okta Support to have EAP-TTLS support enabled for your Okta org.
Topics
- Before you begin
- Limitations
- Configure Cisco Meraki to interoperate with Okta via RADIUS
- Typical workflow
Before you begin
Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity:
Source | Destination | Port/Protocol | Description |
---|---|---|---|
Okta RADIUS Agent | Okta Identity Cloud | TCP/443 HTTP |
Configuration and authentication traffic |
Client Gateway | Okta RADIUS Agent | UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration) | RADIUS traffic between the gateway (client) and the RADIUS Agent (server) |
Limitations
Only a single Okta Verify device should be enrolled. Enrolling second and subsequent Okta Verify devices may cause undefined or unexpected behavior.
On using MFA with Cisco Meraki
Okta doesn't recommend using MFA with EAP-TTLS and it has been disabled by default in the Cisco Meraki RADIUS app policy.
While technically possible, MFA with EAP-TTLS may not work correctly due to:
- Timeout and retry configurations on the router and supplicants which cause several push requests to be sent unless the end-user accepts the first push notification quickly.
- Roaming between access points within a zone works with static passwords works as expected, but will result in MFA re-prompts unless Pairwise Master Key caching and Opportunistic Key caching are correctly configured to prevent RADIUS re-authentication.
Typical workflow
Task |
Description |
---|---|
Download the RADIUS agent |
|
Install the Okta RADIUS Agent. | |
Configure application |
|
Configure optional settings |
|
Configure gateway |
|
Configure devices |
|