Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
1
Replies

OKTA Radius MFA (no ISE)?

the-lebowski
Level 4
Level 4

‎08-22-2023 07:14 AM

We currently use DUO for MFA via AnyConnect and works great. 

However, we are trying to unify across the board via OKTA.  We configured an OKTA Radius agent and added it to a test AnyConnect profile and testing discovered that the only thing that seems to work is a push to the OKTA verify APP.  Meaning if a user enters their password as password,sms password,email password,<otp code>  none of them work and return a login failed message.   The only combination that works is password,push which is the same as not putting anything after the users password because all it does is push a request to the OKTA verify app on the users phone.

Does anyone have sms/email/call/OTP working using this method? If so can you share what I need to do?  I can't have the only option for MFA to be a push to a users phone as not all user will have that capability. OKTA support hasn't been very helpful and their documentation leaves a little to be desired. 

These are the options we have configured on the OKTA side:

 

thelebowski_0-1692713506698.png

thelebowski_1-1692713569975.png

 

Labels:
0 Helpful
1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎08-23-2023 12:48 AM

Hi @the-lebowski,

I don't have experience with Okta specifically, but I wanted to ask you if you are using ISE or any other RADIUS server? How do you handle authorization part?

The reason for asking is that I wanted to sugest to go for secondary authentication option within AnyConnect - it is different server and another filed in AC login prompt to which different server can be defined. I had an experience with other MFA vendors that this was the only supported integration method, so I wanted to suggest to try that, if doable.

It looks to me that your RADIUS server doesn't support RADIUS Challenge/Response mechanism, which is required for interactive logins, where additional input is required from cliend. With push, it still requires MFA, but not via RADIUS packet, so your RADIUS server only returns Access-accept message back to ASA/FTD, which is why push is working for you (interactive part is happening in RADIUS backend).

Kind regards,

Milos

0 Helpful
Customers Also Viewed These Support Documents