cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2524
Views
4
Helpful
5
Replies
Highlighted
Cisco Employee

ISE + OKTA for 2FA/OTP

Hello-

I have a customer that is interested in ISE that is currently using OKTA for their 2FA/OTP. They want to know if ISE and OKTA can integrate together to provide:

  1. 2FA/OTP for RA-VPN users utilizing ASAs and AnyConnect
  2. 2FA/OTP for RADIUS/TACACS+ based device administration

From what I was able to find on OKTA's support pages and documentation this should not be an issue. It appears that OKTA will just be referenced as an external RADIUS server in ISE (Similarly to other OTP providers such as DUO, RSA, etc). However, I wanted to see if anyone can confirm this.

Thanks!

Neno

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE + OKTA for 2FA/OTP

I have used OKTA on several installs without an issue mostly for VPN authentication.  As you said OKTA is just an external RADIUS server to ISE and it runs the whole authentication.  You probably want to crank up your RADIUS timeouts to something like 2-3 minutes because depending on the verification OKTA is doing (OKTA App, App Push, SMS Text, call) it can take a while for the person to type in their password.

View solution in original post

5 REPLIES 5
Cisco Employee

Re: ISE + OKTA for 2FA/OTP

ISE can integrate with any RADIUS token server compliant with RFC 2865. Our teams are not testing OKTA as an OTP so we do not have info which OKTA product(s) work.

VIP Engager

Re: ISE + OKTA for 2FA/OTP

I have used OKTA on several installs without an issue mostly for VPN authentication.  As you said OKTA is just an external RADIUS server to ISE and it runs the whole authentication.  You probably want to crank up your RADIUS timeouts to something like 2-3 minutes because depending on the verification OKTA is doing (OKTA App, App Push, SMS Text, call) it can take a while for the person to type in their password.

View solution in original post

Cisco Employee

Re: ISE + OKTA for 2FA/OTP

Hey Paul, nice to "hear" from you! Thank you for the reply/confirmation Paul!

Best regards,

Neno

Beginner

Re: ISE + OKTA for 2FA/OTP

To be clear, in that scenario,  is the ASA the original RADIUS client and ISE just proxies the RADIUS message back and forth between the Okta agent and ASA?

Beginner

Re: ISE + OKTA for 2FA/OTP

Sorry to barge in to this thread, but it fits right in with the topic at hand...is it possible to use ISE for the Primary authc and authz, and add an OKTA RADIUS agent as a secondary RADIUS server just for the 2nd factor? (I.E. Okta Push)