cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2557
Views
25
Helpful
4
Replies

Cisco(Anyconnect) FTD Integration with Okta for AuthC

obaid.noor2
Level 1
Level 1

Hi,

   We have a customer that has an existing setup as below:

 

Cisco Anyconnect --> RADIUS Auth --> Okta RADIUS Agent on NPS server 

Based on Authentication and the RADIUS response received, the user gets assigned to a specified subnet.

 

With the new requirement the Client wants the FTD directly integrated with Okta using SAML but that does not help with assigning users to the relevant subnets based on the RADIUS response (does Okta provide a radius response without the RADIUS agent?)

 

The Client also wants to enable posture checks making use of Cisco ISE but the FTD does not pass any RADIUS attributes to the ISE.

To summarise we have two problems:

 

1) FTD, when integrated with Okta via SAML, does not assign users to the respective subnets using RADIUS attributes

2) FTD does not pass the RADIUS attributes received, if any, from Okta to Cisco ISE for AuthZ.

 

Any guidance around this would be very much appreciated.

 

Thanks,

Obaid

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

SAML is only supported for Authentication in 6.7.

SAML for Authorization is available in Firepower 7.0+.

If ISE is in the mix, we would generally use the SAML-based iDP (Okta in this case) for Authentication only and then designate ISE as the Authorization server. ISE would independently check the already-authenticated user for the attributes (usually in AD) required to send an Authorization result (such as LDAP MemberOf mapping to Group-policy or other relevant value such as assigned address/subnet).

Thanks heaps for the reply Marvin.
For my own clarity’s sake, below is what you suggested:

1. Integrate FTD with Okta via SAML for only AuthC
2. Once the AuthC is completed point the FTD to the ISE for AuthZ and posture analysis
3. ISE will need to be integrated with AD, separately, to retrieve user attributes for a specific user that is being passed from the FTD?
4. Based on the user attributes, that ISE receives from the AD, it assigns it a subnet?

Is my understanding correct?

Thanks,
Obaid

Mostly correct.

Normally we don't pass the subnet per se as a RADIUS attribute to be assigned as you mentioned in point #4. (I'm not even sure that's available as a RADIUS A-V pair). Instead we assign users to a group policy on the FTD (or ASA) which has the subnet or address range assignment as one of its attributes.

Hi Marvin, Good Day!

                   Need your expert advice/direction on this same topic a bit more. In the above setup the client does not want ISE to be integrated with AD. The setup they want is as below:

 

1) Integrate FTD with Okta using SAML for user authentication for Anyconnect.

2) FTD assigns the user to a specific group policy based on the URL the user is connecting to.

3) FTD passes the details onto ISE for posture checks and AuthZ.

 

If ISE isn't integrated with AD, can it still do AuthZ only based on posture checks?

 

Would there still be a way to differentiate between Corporate machines vs BYOD machines?

 

Thanking you in advance

 

Obaid