Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
1
Helpful
1
Replies

Substituting Okta for RSA

fitzie
Level 1
Level 1

‎08-02-2023 10:05 AM

We currently use ISE to process access requests from Global Protect users.  The remote GP VPN users are currently using RSA via RADIUS.  Works fine, so of course they want to change it up such that ISE forwards to Okta instead of RSA.  Both Okta and RSA already talk to our AD environment, so I think it's mostly a matter of creating a new External Identity Source in ISE, and updating the specific Policy Set to use this new source.

I've not configured ISE with SAML before, and was hoping to find somebody who has been down this road.

1 Reply 1

Greg Gibbs
Cisco Employee
Cisco Employee

‎08-02-2023 04:20 PM

SAML IdP can only be used for specific portal-based flows in ISE. See the Admin Guide for more info.

If you need to use SAML for VPN + MFA, you would likely need to move to a different flow where the VPN headend (ASA/FTD) performs the Authentication directly against Okta using SAML and then hands off to ISE to perform Authorization only.

VPN headend <-> Okta SAML authC -> ISE AuthZ only

Example ASA + Okta SAML config:
https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Cisco-ASA-VPN.html

Example ASA RADIUS server config for ISE Authorization only:

aaa-server ISE_RAD protocol radius
 authorize-only
 interim-accounting-update
 dynamic-authorization
0 Helpful
Customers Also Viewed These Support Documents