Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
3
Replies

OKTA Identity Store - Return AD Group Membership

Go to solution
Phi Yim
Cisco Employee
Cisco Employee

‎10-16-2018 11:53 AM

ISE Experts,

 

I’m pretty sure the answer is yes but can you please confirm that ISE can use an internal AD as an identity store and OKTA as an identity store in parallel?  And if the customer uses the OKTA identity store in a policy, does it support group-membership?  A quick Google seem to indicate yes: https://support.okta.com/help/s/question/0D50Z00008G7VDwSAN/okta-integration-with-cisco-ise

 

Thank you experts!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Phi Yim

‎10-17-2018 08:07 AM

Yes what you mentioned are all supported. Just as a reminder if this is for EAP, then there are certain EAP types that depends on the identity store to work. So if using both AD and LDAP for EAP then you need to craft the ISE 802.1X authentication policy to avoid sending unsupported EAP types to LDAP:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎10-17-2018 07:53 AM

Phi, can you provide more details regarding the inquiry? Such as what protocol is being used between OKTA and ISE, what it means by "use an identity store in parallel", how will group membership be shared to ISE from OKTA?

0 Helpful

Go to solution
Phi Yim
Cisco Employee
Cisco Employee
In response to howon

‎10-17-2018 07:57 AM

Protocol will be LDAP between OKTA and ISE.

 

What I mean by using both in parallel is if we can use OKTA and AD at the same time.

 

We want to make sure the group membership from OKTA can be used in an ISE policy.

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Phi Yim

‎10-17-2018 08:07 AM

Yes what you mentioned are all supported. Just as a reminder if this is for EAP, then there are certain EAP types that depends on the identity store to work. So if using both AD and LDAP for EAP then you need to craft the ISE 802.1X authentication policy to avoid sending unsupported EAP types to LDAP:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01110.html#concept_BD3A270FEC0C411DA10FB808C14B48D5

 

0 Helpful
Customers Also Viewed These Support Documents