04-18-2019 02:36 PM
Hi, we want to use OKTA as MFA authentication and I below what I did:
I'm putting my username and password and prompt showing up to put the authentication cod received the it show me login filed.
The error is (authentication challenged no error)
Please advice if you configured OKTA to authenticate with Anyconnect or if you know the solution.
aaa-server OktaRadiusGroup protocol radius
max-failed-attempts 5
aaa-server OktaRadiusGroup (inside) host 10.x.x.x
timeout 20
key *****
authentication-port 1812
no mschapv2-capable
04-19-2019 06:16 AM
Are you following this guide?
https://help.okta.com/en/prod/Content/Topics/integrations/cisco-radius-intg.htm
You might want to run "debug radius all" on the ASA when you test so that you can see what is happening. Also, run a packet capture on the ASA as below:
capture capi interface <lan-interface-name> match ip host <asa-lan-interface-ip> host <okta-server>
then "show capture capi" after the test.
04-19-2019 08:44 AM
Yes, I followed the same guide.
When I try to test the server from ASDM getting below error:
Authentication Challenged: No error
04-19-2019 09:02 AM
Below is the packet capture when I try to connect from AnyConnect:
6 packets captured
1: 08:49:04.249498 asa-lan-interface.51617 > okta-server.1812: udp 657
2: 08:49:05.584228 okta-server.1812 > asa-lan-interface.51617: udp 220
3: 08:49:06.160056 asa-lan-interface.51617 > okta-server.1812: udp 747
4: 08:49:06.755743 okta-server.1812 > asa-lan-interface.51617: udp 172
5: 08:49:16.361751 asa-lan-interface.51617 > okta-server.1812: udp 747
6: 08:49:16.880813 okta-server.1812 > asa-lan-interface.51617: udp 39
6 packets shown
Below is the packet capture when I try to test from ASDM:
8 packets captured
1: 08:49:04.249498 asa-lan-interface.51617 > okta-server.1812: udp 657
2: 08:49:05.584228 okta-server.1812 > asa-lan-interface.51617: udp 220
3: 08:49:06.160056 asa-lan-interface.51617 > okta-server.1812: udp 747
4: 08:49:06.755743 okta-server.1812 > asa-lan-interface.51617: udp 172
5: 08:49:16.361751 asa-lan-interface.51617 > okta-server.1812: udp 747
6: 08:49:16.880813 okta-server.1812 > asa-lan-interface.51617: udp 39
7: 08:50:32.104074 asa-lan-interface.51617 > okta-server.1812: udp 87
8: 08:50:33.321470 okta-server.1812 > asa-lan-interface.51617: udp 220
8 packets shown
04-10-2020 08:36 AM
Was anyone able to resolve this? We'd like to use SAML and not RADIUS. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide