Security

I have been asked if we can use Okta for multifactor authentication of our remote VPNs and other services. I see where Okta can be used for SSO and Onboard, but I would need it for a RADIUS Service. I saw a post from 2017 that says this may be depreciated, but as of 6.7.7 you can add Okta as an auth source type. However, I see no documentation on how to use it. 

 

Can someone shed some light on Okta integration and if it can be used this way?

Can you please expand on the end to end workflow?

Currently, our VPN users are connecting using a combination of their username and code from google authenticator as there username and they use their password as the password. That request goes to clearpass and it forwards to a server that can parse the creds and sends back an accept or deny.

 

Not sure if Okta can do a similar parse or do a push verify to their app when a user tries to connect. 

You can deploy the same thing using the Okta RADIUS server configured as a Token Server auth source in ClearPass.

So it is correct that this will be going away?

Yes, it will. It is not supported and was used for a previous integration that is no longer available.

Is there any how-to documentation for using 2FA/Token-based authentication for RADIUS supplicants?

Do you mean 802.1X workflows?

Yes for 802.1x, thanks

 

There is really no scalable way to do MFA at the supplicant level.

How about any general token server how-to docs, like e.g. for the OP's VPN workflow? Clearpass user docs show how to set up Token servers but doesn't give example use cases of what can be achieved with them.