We are currently using DUO as our MFA provider for our AnyConnect sessions, on an ASA5555-X. It is working fine, but we are switching providers to Okta. The trick is going to testing and rollout/. We have a LOT of employees, so we can't just hot cut one day. We need to find a way to roll it out in phases, or create a primary/backup aaa-server.
Current setup - Our current setup is using a RADIUS aaa-server like this:
aaa-server duo-radius (inside) host x.x.x.x timeout 60 key ***** authentication-port 1812 accounting-port 1813 no mschapv2-capable
The AnyConnect tunnel-group points to that aaa-server:
tunnel-group DefaultWEBVPNGroup general-attributes ... authentication-server-group duo-radius
Future Setup - I'm still gathering details, but I think the new Okta aaa-server with either be using RADIUS or LDAP.
Possible solutions - Here are a few possible approaches, but I'm not sure which are feasible, or if there is a better way out there.
Does anyone have any thoughts on this, or have any other ideas for testing or rolling out incrementally?
Thanks for your feedback on the testing. Do you (or anyone else) have any suggestions for how to roll it out in phases? We want to avoid just changing the aaa-server at a specific date and time, forcing everyone to migrate at once.
That's a great idea! I think I will definitely make that my plan A. I'll bring it up in our upcoming planning meetings, and see how that works. Thanks for the input!