cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3182
Views
10
Helpful
4
Replies
timhowar
Cisco Employee

ISE with OKTA as Identity Store

Is their any guidance or documentation on using ISE with OKTA as the identity source? Can ISE use groups created in OKTA to do fine grained access control?

1 ACCEPTED SOLUTION

Accepted Solutions
thomas
Cisco Employee

http://cs.co/ise-guides#Okta ?

BTW, SAML Identity Stores are only valid for web portal based authentication and not 802.1X.

View solution in original post

4 REPLIES 4
thomas
Cisco Employee

http://cs.co/ise-guides#Okta ?

BTW, SAML Identity Stores are only valid for web portal based authentication and not 802.1X.

View solution in original post

paul
Advocate

With all MFA vendors, I prefer to have them do a single role which is perform the MFA process and simply give me a accept or reject back indicating the MFA process passed or failed.  Then I have ISE do all the necessary AD look-ups in the authorization phase to provide granular control.  To that end, I always setup my MFA vendors as RADIUS Token servers and use that definition in then authentication section of my policy sets requiring MFA.  After the users passes MFA their username can be checked against AD to provide the granular control you want.

timhowar
Cisco Employee

What if the customer is replacing AD with Okta Universal Directory or never implemented AD in the first place? In that case, is ISE currently unable to do any kind of fine grained user control using groups? 

All of my installs the customers have used AD as their source of truth. I haven't worked with OKTA universal directory but I think you would have three options:

 

  1. Setup an LDAP connector in ISE to OKTA universal directory and do group lookups via LDAP in the authorization phase.
  2. If you use a RADIUS token definition for OKTA you can define a RADIUS attribute on the advanced tab that OKTA will pass back to ISE.  So your OKTA would do all the group checking and then set the RADIUS attribute accordingly.  You can then use that RADIUS attribute in your authorization rules.
  3. You can define the OKTA servers as an external RADIUS server then ISE basically just acts a proxy between the NAD and OKTA and all attributes sent from OKTA flow back to the NAD.  I don't use this setup at all but you could play around with it.

 

Content for Community-Ad