topic Re: ISE / OKTA as Radius Token server - Authorization group okta in Network Access Control

ISE / OKTA as Radius Token server - Authorization group okta

cisco.13 — Tue, 22 Feb 2022 22:38:12 GMT

Hello,

I added OKTA to ISE as a Radius Token server, and it works fine

OKTA return RADIUS attribute "25 Class" for each group, example class attribute :

ou=group1
ou=group1;ou=group2

I see on Radius token server / authorization, I can configure CiscoSecure-Group-Id attribute or specify another (Class ?),

How can I exploit it so that I can use it during authorization (allow only if a user is in a specific group) ?

Thank you

Re: ISE / OKTA as Radius Token server - Authorization group okta

thomas — Mon, 07 Mar 2022 04:11:52 GMT

In your ISE Policy's Authorization Rule, create a condition with

Cisco:cisco-av-pair CONTAINS <group>

and see if that works.

Re: ISE / OKTA as Radius Token server - Authorization group okta

cisco.13 — Mon, 07 Mar 2022 12:52:51 GMT

Hello @thomas

No work with Cisco:cisco-av-pair CONTAINS <group> !

in ISE, Class is OUT attribute, I changed it to cisco-avpair in okta, but still not working!

Re: ISE / OKTA as Radius Token server - Authorization group okta

thomas — Mon, 07 Mar 2022 15:42:13 GMT

Sorry, I don't know what "Class is OUT" means.

You need to provide some actual details for the community to help you.

See

Re: ISE / OKTA as Radius Token server - Authorization group okta

cisco.13 — Mon, 07 Mar 2022 16:03:39 GMT

Hello @thomas

Thank you for your reply

"Class is OUT" => Direction

Here is my configuration

AuthZ rule :

Thank you

Re: ISE / OKTA as Radius Token server - Authorization group okta

hslai — Thu, 10 Mar 2022 03:45:00 GMT

OKTA seems to have an LDAP interface. Could you not use that, instead?

Otherwise, Arne's reply in ISE as RADIUS Proxy and Attribute "Reply-Message"

Re: ISE / OKTA as Radius Token server - Authorization group okta

Arne Bier — Thu, 10 Mar 2022 06:12:49 GMT

It's been a while since I have used a token server in ISE but I recall that the reply message (from the token server) to ISE has to contain a Cisco AVPair that is formatted in such a way, that ISE can understand. From my research some years back, the reply has to contain Cisco AVPair as such

ACS:<whatever_attr_name_you_want>

Then you define that under RADIUS Token Identity Sources 'Authorization'. You will have the <whatever_attr_name_you_want> available in your AuthZ policies. If you don't use a custom name, then ISE defaults to CiscoSecure-Group-Id.

That means your external radius server needs to return a Cisco AVPair that looks like this (the User is in GroupXYZ) - you can't use anything other than a CiscoAVPair containing ACS...

So in your particular example, you have used Attribute Name of "cisco-av-pair" - this means, that OKTA has to reply to ISE with RADIUS attributes as shown below (two separate scenarios)

Cisco-AVPair = ACS:cisco-av-pair = Super-User

Cisco-AVPair = ACS:cisco-av-pair = Monitor-User

If this is the case, then your ISE Authorization rules will work - I explained it a bit more in the link that hslai shared.

The question is whether OKTA will let you manipulate the RADIUS attributes sent to ISE? This OKTA link seems to imply that they support Vendor Specific (which is what Cisco-AVPair is using) - so hopefully you can make it work by pre-pending the ACS:blah to it?

Select the Vendor Specific option from the drop down and then see how you get on. Share the screenshot please since I don't have OKTA.

Re: ISE / OKTA as Radius Token server - Authorization group okta

cisco.13 — Thu, 10 Mar 2022 11:49:01 GMT

Hello,

Thank you for your reply

In OKTA, I have :

26-Vendor specific

25-Class

11-Filter-ID

I can specify "ACS:cisco-av-pair" only in "Group name format" which returned to ISE (check ok with wireshark)

Thank you very much

Re: ISE / OKTA as Radius Token server - Authorization group okta

tzuyukuo31538 — Tue, 17 Sep 2024 15:27:12 GMT

Hi Sir,

I have recently integrated ISE's RADIUS TOKEN with OKTA. After entering the username and password on the Cisco switch, OKTA shows successful authentication, but I still see "% Authentication failed" on the switch.

OKTA shows the authentication was successful, and on ISE, I only see Authentication success, but there is no information regarding Authorization.

Could you please share your ISE and OKTA configurations for reference? Thank you.