Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community


AnyConnect - Changing MFA Provider in Stages

We are currently using DUO as our MFA provider for our AnyConnect sessions, on an ASA5555-X.  It is working fine, but we are switching providers to Okta.  The trick is going to testing and rollout/.  We have a LOT of employees, so we can't just hot cut one day.  We need to find a way to roll it out in phases, or create a primary/backup aaa-server.


Current setup - Our current setup is using a RADIUS aaa-server like this:

aaa-server duo-radius (inside) host x.x.x.x
 timeout 60
 key *****
 authentication-port 1812
 accounting-port 1813
 no mschapv2-capable

The AnyConnect tunnel-group points to that aaa-server:

tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group duo-radius

Future Setup - I'm still gathering details, but I think the new Okta aaa-server with either be using RADIUS or LDAP.


Possible solutions - Here are a few possible approaches, but I'm not sure which are feasible, or if there is a better way out there.

  1. Primary/Backup authentication - Is there a way to have it point to Okta as my primary authentication, and failover to Duo?  I could not find a way, other than adding the Okta server to the existing 'duo-radius' group, but that would require both servers to be using the same RADIUS key, etc.
  2. Parallel VPN Config for testing - Perhaps I could create a second VPN profile that points to Okta for the testing phase?

Does anyone have any thoughts on this, or have any other ideas for testing or rolling out incrementally?

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: AnyConnect - Changing MFA Provider in Stages

I'd personally go with your solution 2 - create a RADIUS server for Okta and a new tunnel-group, referencing the new RADIUS server. You should then be able to test authentication to Okta on that dedicated tunnel-group, whilst existing users can still authenticate to Duo on the existing tunnel-group.


Re: AnyConnect - Changing MFA Provider in Stages

Thanks for your feedback on the testing.  Do you (or anyone else) have any suggestions for how to roll it out in phases?  We want to avoid just changing the aaa-server at a specific date and time, forcing everyone to migrate at once.

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: AnyConnect - Changing MFA Provider in Stages

Once you've tested using the 2nd tunnel-group, push out a new anyconnect profile configuration file with both the old and the new tunnel-group, giving the users the option to use either tunnel-group and therefore Duo or Okta. That approach worked well in my experience recently.

Re: AnyConnect - Changing MFA Provider in Stages

That's a great idea!  I think I will definitely make that my plan A.  I'll bring it up in our upcoming planning meetings, and see how that works.  Thanks for the input!