Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9583
Views
14
Helpful
8
Replies

ISE + OKTA for 2FA/OTP

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-11-2018 06:50 PM

Hello-

I have a customer that is interested in ISE that is currently using OKTA for their 2FA/OTP. They want to know if ISE and OKTA can integrate together to provide:

  1. 2FA/OTP for RA-VPN users utilizing ASAs and AnyConnect
  2. 2FA/OTP for RADIUS/TACACS+ based device administration

From what I was able to find on OKTA's support pages and documentation this should not be an issue. It appears that OKTA will just be referenced as an external RADIUS server in ISE (Similarly to other OTP providers such as DUO, RSA, etc). However, I wanted to see if anyone can confirm this.

Thanks!

Neno

Thank you for rating helpful posts!
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎01-12-2018 01:01 PM

I have used OKTA on several installs without an issue mostly for VPN authentication.  As you said OKTA is just an external RADIUS server to ISE and it runs the whole authentication.  You probably want to crank up your RADIUS timeouts to something like 2-3 minutes because depending on the verification OKTA is doing (OKTA App, App Push, SMS Text, call) it can take a while for the person to type in their password.

View solution in original post

8 Replies 8

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-12-2018 07:37 AM

ISE can integrate with any RADIUS token server compliant with RFC 2865. Our teams are not testing OKTA as an OTP so we do not have info which OKTA product(s) work.

Go to solution
paul
Level 10
Level 10

‎01-12-2018 01:01 PM

I have used OKTA on several installs without an issue mostly for VPN authentication.  As you said OKTA is just an external RADIUS server to ISE and it runs the whole authentication.  You probably want to crank up your RADIUS timeouts to something like 2-3 minutes because depending on the verification OKTA is doing (OKTA App, App Push, SMS Text, call) it can take a while for the person to type in their password.

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to paul

‎01-15-2018 09:55 PM

Hey Paul, nice to "hear" from you! Thank you for the reply/confirmation Paul!

Best regards,

Neno

Thank you for rating helpful posts!
0 Helpful

Go to solution
hugh.kelley
Level 1
Level 1
In response to paul

‎04-19-2018 11:22 AM

To be clear, in that scenario,  is the ASA the original RADIUS client and ISE just proxies the RADIUS message back and forth between the Okta agent and ASA?

Go to solution
Nathaniel Bell
Level 1
Level 1
In response to paul

‎02-14-2019 02:25 PM

Sorry to barge in to this thread, but it fits right in with the topic at hand...is it possible to use ISE for the Primary authc and authz, and add an OKTA RADIUS agent as a secondary RADIUS server just for the 2nd factor? (I.E. Okta Push)

Go to solution
Mustafa9046
Level 1
Level 1
In response to paul

‎11-05-2021 01:12 PM

Hi Team,

 

I have Cisco ISE 3.0 trying to integrate OKTA  for  2FA/OTP for RADIUS/TACACS+ based device administration

 

Authentication via OKTA Push + AD

Authorization Via AD 

 

Can you please help me with any reference configuration ??

0 Helpful

Go to solution
kdurai12
Level 1
Level 1
In response to paul

‎04-27-2022 05:58 AM

Thank you so much, is it work well for Cisco CLI MFA authentications? like App Push / approve.? Thank you. ! 

0 Helpful

Go to solution
Mustafa9046
Level 1
Level 1

‎11-05-2021 01:11 PM

Hi Team,

 

I have Cisco ISE 3.0 trying to integrate OKTA  for  2FA/OTP for RADIUS/TACACS+ based device administration

 

Authentication via OKTA Push + AD

Authorization Via AD 

 

Can you please help me with any reference configuration ??

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Top