Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
170
Views
0
Helpful
0
Replies

AnyConnect AAA with ISE and Okta (MFA).

AlexandreMoniot
Level 1
Level 1

‎03-21-2024 04:08 PM

Hello,

I want to put MFA for some of my SSL VPN users.

My clients are using AnyConnect to open their SSL VPN connection to a Firepower cluster.

The firewall uses Radius to authenticate and authorize users via Cisco ISE.

I have two identity stores.
The first one is ISE's internal DB for some of my contractors.
The second one is an LDAP directory for ours employees.

Curently, the authentication rule of my VPN use an identity source sequence as follow : local DB -> if user not found (ie it is not a contractor) -> LDAP.

Everythings works fine.

To enable MFA, I have added an new identity source as a Radius Token Server pointing to Okta.

My LDAP is synced to Okta but with a group criteria, that way, not all of my users are provisionned into Okta.
I don't want to add all of my users to MFA because not all of them are subject to MFA, and since the licensing is by user in Okta, i don't want to sync everybody (that's a part of the problem here, i will explain).

If i put my Okta as Identity source, it's working, i get an mfa notification an if i validate it, ISE receive Access-Accept and then check for the authorization policy => Looks good.

But the probleme is to authenticate my users who are not provisionned to Okta (and so are not subject to MFA).

Currently i have tested to add to Okta to my identity sequence : LocalDB -> Okta -> LDAP

If the user is not a contractor (not in ISE's local DB) -> User not found and ISE continue with Okta => that's ok

If the user is known in Okta, it's the same scenario as above, MFA challenge and if validation is successfull, Access-Accept and ISE go to AuthZ. => that's ok too.

And the is the problem.

If the user is not know in Okta or the MFA challenge is not validate, ISE receive an Access-Reject. => That's what we want if the MFA challenge is failed, but not if the user is not found, because it could be a user who is not subject to MFA.

The only solution that i have found to get ISE to continue authentication to the 3rd Identity source which is my LDAP is to configure how ISE will treat the radius token server (ie Okta) Access-Reject

It could be "UserNotFound" or Access-Reject.

In case 1, the lookup continue to LDAP, so it's working, but if does even if the MFA challenge is unsuccessfull because the response from Okta is allways access-reject  whatever the user does not exit or the MFA failed and so ISE treat that as a "userNotFound".

In case 2, if my user is not subject to MFA, but he can connect to SSL VPN, it will not be allowed because, Okta will send Access-reject because it can find that user, and then ISE will send it to the firewall without checkling the LDAP identity source, which result of a login failed for my user.

Do you have an advice on how to configure this ?

Thank you.

 

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents