Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2486
Views
65
Helpful
7
Replies

ISE / OKTA as Radius Token server - Authorization group okta

cisco.13
Level 1
Level 1

‎02-22-2022 02:38 PM

Hello,

 

I added OKTA to ISE as a Radius Token server, and it works fine

OKTA return RADIUS attribute "25 Class" for each group, example class attribute :

  • ou=group1
  • ou=group1;ou=group2

I see on Radius token server / authorization, I can configure CiscoSecure-Group-Id attribute or specify another (Class ?),

 

How can I exploit it so that I can use it during authorization (allow only if a user is in a specific group) ?

 

ISE.png

 

Thank you

2 people had this problem
0 Helpful
7 Replies 7

thomas
Cisco Employee
Cisco Employee

‎03-06-2022 08:11 PM

In your ISE Policy's Authorization Rule, create a condition with

Cisco:cisco-av-pair CONTAINS <group>

and see if that works.

image.png

cisco.13
Level 1
Level 1

‎03-07-2022 04:52 AM

Hello @thomas 

No work with Cisco:cisco-av-pair CONTAINS <group> !

in ISE, Class is OUT attribute, I changed it to cisco-avpair in okta, but still not working!

thomas
Cisco Employee
Cisco Employee
In response to cisco.13

‎03-07-2022 07:42 AM

Sorry, I don't know what "Class is OUT" means.

You need to provide some actual details for the community to help you.

See How to Ask The Community for Help 

cisco.13
Level 1
Level 1
In response to thomas

‎03-07-2022 08:03 AM

Hello @thomas 

 

Thank you for your reply

 

"Class is OUT" => Direction 

 

image001.pngimage002.png

 

Here is my configuration

image001 (1).png

AuthZ rule :

image002 (1).png

 

Thank you

hslai
Cisco Employee
Cisco Employee

‎03-09-2022 07:45 PM

OKTA seems to have an LDAP interface. Could you not use that, instead?

Otherwise, Arne's reply in ISE as RADIUS Proxy and Attribute "Reply-Message" 

Arne Bier
VIP
VIP
In response to hslai

‎03-09-2022 10:12 PM

It's been a while since I have used a token server in ISE but I recall that the reply message (from the token server) to ISE has to contain a Cisco AVPair that is formatted in such a way, that ISE can understand.  From my research some years back, the reply has to contain Cisco AVPair as such

 

ACS:<whatever_attr_name_you_want>

 

Then you define that under RADIUS Token Identity Sources 'Authorization'.  You will have the <whatever_attr_name_you_want> available in your AuthZ policies.  If you don't use a custom name, then ISE defaults to CiscoSecure-Group-Id.

 

That means your external radius server needs to return a Cisco AVPair that looks like this (the User is in GroupXYZ) - you can't use anything other than a CiscoAVPair containing ACS...

 

So in your particular example, you have used Attribute Name of "cisco-av-pair" - this means, that OKTA has to reply to ISE with RADIUS attributes as shown below (two separate scenarios) 

Cisco-AVPair = ACS:cisco-av-pair = Super-User

Cisco-AVPair = ACS:cisco-av-pair = Monitor-User

 

If this is the case, then your ISE Authorization rules will work - I explained it a bit more in the link that hslai shared.

 

The question is whether OKTA will let you manipulate the RADIUS attributes sent to ISE?  This OKTA link seems to imply that they support Vendor Specific (which is what Cisco-AVPair is using) - so hopefully you can make it work by pre-pending the ACS:blah to it?

Select the Vendor Specific option from the drop down and then see how you get on. Share the screenshot please since I don't have OKTA.

 

 

 

 

cisco.13
Level 1
Level 1
In response to Arne Bier

‎03-10-2022 03:49 AM

Hello,

Thank you for your reply

 

In OKTA, I have :

26-Vendor specific

25-Class

11-Filter-ID

 

I can specify "ACS:cisco-av-pair" only in "Group name format" which returned to ISE (check ok with wireshark)

 

okta1.png

 

okta2.png

 

Thank you very much

0 Helpful
Customers Also Viewed These Support Documents