Configure the Cisco ASA VPN to interoperate with RADIUS

During this task we will configure the Cisco ASA VPN, specifically:

  • Define a RADIUS Server Profile
  • Define an Authentication Profile for Okta RADIUS Agent
  • Apply the Okta RADIUS Authentication Profile to a Gateway
  • Configure the portal to use the Okta RADIUS Authentication Profile.


  1. Configure Cisco ASA VPN
  2. Modify the IPSec(IKEv2) Connection Profile

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Configure Cisco ASA VPN

  1. Define an AAA Server Group
    1. Sign in to the Cisco ASDM console for the VPN appliance using an account with sufficient privileges.
    2. Navigate to ConfigurationRemote Access VPNAAA/Local usersAAA server groups, as shown below.

    3. Click Add to create a new group.
      The Add AAA Server Group dialog displays.

    4. Leave the default settings except for the following:

      • AAA Server Group – specify a name to identify the group for the MFA server

      • Protocol – select RADIUS if necessary

    5. Click OK.
  2. Add AAA Server(s) to your AAA Server Group
    1. Select Remote Access VPN and navigate to AAA/Local UsersAAA Server Groups.
      Select the server group just created.

    2. Click Add.
      The Edit 'ServerName' Server dialog displays.

    3. Specify the following, leaving all other fields unchanged:
      • Interface Name – select the interface that will handle communication with the MFA Server
      • Server Name or IP Address – specify the name or the IP address of the Okta RADIUS Agent
      • Timeout (seconds) – 60 seconds
      • Server Authentication port – enter the required port number. Port 1812 was used as the example.
      • Server Accounting Port – 1646. This value is not used, but must be entered to complete the setup.
      • Retry Interval – leave default at 60 seconds
      • Server Secret Key – provided secret defined when setting up the app in Okta.
      • Common Password – leave blank.
      • Uncheck Microsoft CHAPv2 Capable. (important).
    4. Click OK.
    5. Click APPLY to save the configuration.

Modify the IPSec(IKEv2) Connection Profile

Modify the IPSec(IKEv2) Connection Profile to use the new Authentication Server group.

  1. Open the Cisco ASDM console for the VPN appliance.
  2. Click Configuration.
  3. Select Remote Access VPN.
  4. In the Remote Access VPN section, select IPsec(IKEv2) Connection Profiles.
  5. Select the DefaultRAGroup group, and click Edit.
  6. In the IKE Peer Authentication Group section enable Enable Peer to Peer authentication using EAP and Send an EAP Identity request to the client.
  7. Click OK to save.