Okta Cisco Anyconnect

  

During this task we will define a RADIUS Server Profile, define an Authentication Profile for Okta RADIUS Agent, apply the Okta RADIUS Authentication Profile to a Gateway, and configure the portal to use the Okta RADIUS Authentication Profile.

Cisco AnyConnect Secure Mobility Client Secure VPN access for remote workers For organizations of all sizes that need to protect sensitive data at scale, Duo is the user-friendly zero-trust security platform for all users, all devices and all applications. Without backend changes is their a way to use the cisco anyconnect client to connect to the globalprotect vpn and then continue authentication via okta? Cisco AnyConnect and GlobalProtect use completely different protocols. However you can use openconnect or one of its graphical clients. This guide details how to configure Cisco Meraki wireless access points to use the Okta RADIUS Server Agent and EAP-TTLS. The following network diagram shows the flow between Meraki and several endpoints using Okta. For details of the flow between Okta, the RADIUS agent and Cisco Meraki see Cisco Meraki RADIUS integration flow. AnyConnect by Cisco is a robust VPN tool built for a large-scale company in mind. Cisco offers several options for businesses that wish to subscribe to its VPN services, including both term (1. To connect to Mercer's network using the Cisco AnyConnect Secure Mobility Client (VPN) software: Click the Windows Start button, click on the Cisco folder, and choose the Cisco AnyConnect Secure Mobility Client. When the following window opens, enter vpn.mercer.edu and click Connect. Select Faculty/Staff from the Group drop-down menu, enter the.

Steps

Okta Cisco Anyconnect

Before you begin

  • Ensure that you have the common UDP port and secret key values available.

Cisco Vpn Client Windows 10

Define an AAA Server Group

  1. Sign in to the Cisco ASDM console for the VPN appliance with sufficient privileges
  2. Navigate to Configuration > Remote Access VPN > AAA/Local users > AAA server groups, as shown below.
  3. Click Add to create a new group. The Add AAA Server Group screen opens, as shown below.
  4. Leave the default settings except for the following

    • AAA Server Group – specify a name to identify the group for the MFA server

    • Protocol – select RADIUS if necessary

Cisco anyconnect add vpn server

Add AAA Server(s) to your AAA Server Group

  1. Click OK to return to the Cisco ASDM console, shown in step 2, above.

  2. Cick Remote Access VPN and navigate to AAA/Local Users > AAA Server Groups. Select the server group you just created.

  3. Click Add. The screen shown below opens.

  4. Leave the default settings except for the following
    • Interface Name – select the interface that will handle communication with the MFA Server
    • Server Name or IP Address – specify the name or the IP address of the Okta RADIUS Agent
    • Timeout (seconds) – 60 seconds
    • Server Authentication port – enter the port number you configured above in step 3 when setting up the app in Okta. Port 1812 was used as the example.
    • Server Accounting Port – 1646. This value is not used, but must be entered to complete the setup.
    • Retry Interval – leave default at 60 seconds
    • Server Secret Key – provided secret defined above in step 3 when setting up the app in Okta.
    • Common Password – leave blank
    • Uncheck Microsoft CHAPv2 Capable. (important)
  5. When done, click OK.
  6. Click APPLY to save the configuration.

Cisco Anyconnect Secure Mobility Client Setup

Okta Cisco Anyconnect

Modify the AnyConnect Connection Profile to use the AAA Server Group

In this step you will also confirm that no conflicting or contrary Authorization/Authentication/Accounting settings exist.

  1. In to the Cisco ASDM console for the VPN appliance, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles, as shown below.
  2. Highlight the desired connection profile in the Connection Profiles section and click Edit above the list of profile names. The screen shown below opens.

  3. In the Authentication section, set the Method to AAA.
  4. Choose the AAA Server Group you previously created or modified, and click Advanced in the left column. The screen shown below opens.
  5. Click Secondary Authentication on the left and confirm that the “Secondary Authentication Server Group” is undefined.

    Note

    The current configuration is also knows as 'multi-step authentication.'

    An alternative configuration exists that leverages the “Secondary Authentication Server Group” to perform MFA in a different flow. In this configuration “Secondary” authentication is handled by the main AAA Server Group servers using RADIUS Challenge and Response messages.

    In that configuration, the Primary AAA Server Group is configured to perform primary authentication (username/password) against one AAA Server Group which could be verified against an Okta RADIUS Server Agent that is only configured to perform Primary Authentication. The Secondary AAA Server Group is configured to perform secondary authentication against a second AAA Server Group which is usually an Okta RADIUS Server with an App that is explicitly configured not to perform Primary Authentication, and is only used to verify a registered factor (push, verify OTP, sms OTP, etc.).

    Reasons for using this alternative configuration can include:

    • Primary authentication server is providing additional accounting, authorization or connection details that Okta cannot
    • Compliance reasons that dictate a non-multistep MFA experience
  6. Click Authorization on the left and confirm that the Server Group value is set to None, as shown below.

    Note

    Configurations that leverage an additional and distinct Authorization Server Group can exist and are beyond the scope of this guide. Okta has experienced issues when this setting is pointing to a AAA Server Group populated with Okta RADIUS Server Agents. In those cases, a superfluous access request message is sent to the Okta RADIUS Server.

  7. Click Accounting on the left and confirm that the Accounting Server Group value is set to None, as shown below.

    Note

    There might be cases where a unique and meaningful Accounting Server Group is useful. AAA Server Groups with Okta RADIUS Server agents do not support RADIUS Accounting messages.

  8. Click OK to save the settings.

Modify the AnyConnect Client Profile to extend the timeout

  1. In the Cisco ASA Admin Console, click the Configuration button, and then click the Remote Access VPN button.
  2. Navigate to Network (Client) Access > AnyConnect Client Profile, highlight the desired client profile, and click Edit, as shown below.
  3. In the screen that opens, select Preferences (Part 2), as shown below.
  4. Scroll down and locate Authentication Timeout (seconds), and set the value to 60.

  5. Click OK to save the settings.
  6. Click Commit to save the Okta RADIUS configuration within the Cisco ASA Admin Console.

How To Steps:

Download these instructions as a PDF

Install VPN

Okta

Download the package

Locate the VPN installer you downloaded (anyconnect.exe) and double-click the exe to run the installer.

Custom TOTP Authentication

Click the Next button to proceed.

Select the I accept the terms in the License Agreement radio button then click the Next button to proceed.

Click the Install button to proceed.

Click the Finish button to complete installation.

Connect to VPN

Locate and launch the Cisco AnyConnect Secure Mobility Client application in your Start Menu to proceed.

Okta Vpn

Enter vpn.iastate.edu in the text field then click the Connect button to proceed.

Select SSLvpn in the Group drop-down menu. Enter your ISU Net-ID and password in the Username and Password fields then click the OK button to connect to VPN.

Disconnect from VPN

Locate the Cisco AnyConnect Secure Mobility Client icon in your task-bar to proceed.

Okta Cisco Anyconnect App

Right-click the Cisco AnyConnect Secure Mobility Client icon and click Quit in the drop-down menu to disconnect from VPN.