10-16-2018 11:53 AM
ISE Experts,
I’m pretty sure the answer is yes but can you please confirm that ISE can use an internal AD as an identity store and OKTA as an identity store in parallel? And if the customer uses the OKTA identity store in a policy, does it support group-membership? A quick Google seem to indicate yes: https://support.okta.com/help/s/question/0D50Z00008G7VDwSAN/okta-integration-with-cisco-ise
Thank you experts!
Solved! Go to Solution.
10-17-2018 08:07 AM
Yes what you mentioned are all supported. Just as a reminder if this is for EAP, then there are certain EAP types that depends on the identity store to work. So if using both AD and LDAP for EAP then you need to craft the ISE 802.1X authentication policy to avoid sending unsupported EAP types to LDAP:
10-17-2018 07:53 AM
Phi, can you provide more details regarding the inquiry? Such as what protocol is being used between OKTA and ISE, what it means by "use an identity store in parallel", how will group membership be shared to ISE from OKTA?
10-17-2018 07:57 AM
Protocol will be LDAP between OKTA and ISE.
What I mean by using both in parallel is if we can use OKTA and AD at the same time.
We want to make sure the group membership from OKTA can be used in an ISE policy.
10-17-2018 08:07 AM
Yes what you mentioned are all supported. Just as a reminder if this is for EAP, then there are certain EAP types that depends on the identity store to work. So if using both AD and LDAP for EAP then you need to craft the ISE 802.1X authentication policy to avoid sending unsupported EAP types to LDAP:
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide