ASA VPN: Okta RADIUS → Entra ID SAML Migration

Project Summary

Migrate ASA VPN authentication from Okta RADIUS proxy to Microsoft Entra ID via SAML 2.0, using ISE 3.2 as the SAML identity provider proxy. This eliminates the Okta RADIUS agent dependency, consolidates identity to Entra ID, and enables Conditional Access policy enforcement on VPN sessions.

Architecture — Current vs Target

Component	Current State	Target State
Identity Provider	Okta	Microsoft Entra ID
Auth Protocol (IdP → ISE)	RADIUS (Okta RADIUS agent)	SAML 2.0
Auth Protocol (ASA → ISE)	RADIUS	SAML 2.0 (ASA as SAML SP)
MFA	Okta Verify	Entra ID MFA (Authenticator / FIDO2 / phone)
Conditional Access	Okta policies	Entra Conditional Access
ISE Role	RADIUS server	SAML IdP proxy (brokers between ASA SP and Entra IdP)
VPN Client	AnyConnect	AnyConnect (unchanged)

Component

Current State

Target State

Identity Provider

Okta

Microsoft Entra ID

Auth Protocol (IdP → ISE)

RADIUS (Okta RADIUS agent)

SAML 2.0

Auth Protocol (ASA → ISE)

RADIUS

SAML 2.0 (ASA as SAML SP)

MFA

Okta Verify

Entra ID MFA (Authenticator / FIDO2 / phone)

Conditional Access

Okta policies

Entra Conditional Access

ISE Role

RADIUS server

SAML IdP proxy (brokers between ASA SP and Entra IdP)

VPN Client

AnyConnect

AnyConnect (unchanged)

Phase Summary

Phase	Description	Status	Notes
0: Pre-Work	Inventory, dependencies, Entra app registration, risk assessment	❌ Not started	—
1: Entra ID Configuration	Enterprise app, SAML SSO, claims mapping, Conditional Access	❌ Not started	—
2: ISE 3.2 SAML Configuration	External SAML IdP, IdP proxy, certificate exchange	❌ Not started	ISE 3.2 specific — check SAML support matrix
3: ASA SAML Service Provider	ASA SAML SP config, tunnel-group binding, certificate trust	❌ Not started	—
4: AnyConnect Client Config	Connection profile, embedded browser vs native, SAML metadata	❌ Not started	—
5: Lab Validation	End-to-end test in d000 lab before production	❌ Not started	Requires lab ASA + ISE + Entra test tenant
6: Pilot Deployment	IT security team pilot group	❌ Not started	—
7: Production Cutover	Full user migration, Okta RADIUS decommission	❌ Not started	CR required
8: Okta Decommission	Remove RADIUS agent, disable Okta VPN app, cleanup	❌ Not started	Post-validation soak period

Phase

Description

Status

Notes

0: Pre-Work

Inventory, dependencies, Entra app registration, risk assessment

❌ Not started

—

1: Entra ID Configuration

Enterprise app, SAML SSO, claims mapping, Conditional Access

❌ Not started

—

2: ISE 3.2 SAML Configuration

External SAML IdP, IdP proxy, certificate exchange

❌ Not started

ISE 3.2 specific — check SAML support matrix

3: ASA SAML Service Provider

ASA SAML SP config, tunnel-group binding, certificate trust

❌ Not started

—

4: AnyConnect Client Config

Connection profile, embedded browser vs native, SAML metadata

❌ Not started

—

5: Lab Validation

End-to-end test in d000 lab before production

❌ Not started

Requires lab ASA + ISE + Entra test tenant

6: Pilot Deployment

IT security team pilot group

❌ Not started

—

7: Production Cutover

Full user migration, Okta RADIUS decommission

❌ Not started

CR required

8: Okta Decommission

Remove RADIUS agent, disable Okta VPN app, cleanup

❌ Not started

Post-validation soak period

Risk Assessment

ISE 3.2 SAML Considerations

ISE 3.2 has limited SAML IdP proxy support compared to 3.3+. Verify the following before committing to this architecture.

Item	Risk	Mitigation
ISE 3.2 SAML IdP proxy	Feature may be limited or absent in 3.2 — full SAML IdP proxy was enhanced in 3.3	Verify in ISE 3.2 admin guide. If absent, ISE acts as RADIUS server only and ASA talks SAML directly to Entra.
ASA SAML + ISE RADIUS hybrid	If ISE can’t proxy SAML in 3.2, ASA handles SAML directly to Entra, then ISE provides posture/authz via RADIUS	This is the Cisco-documented pattern for ASA + Entra pre-ISE 3.3
AnyConnect embedded browser	SAML requires embedded browser in AnyConnect 4.6+. Older clients fall back to external browser (security concern).	Verify minimum AnyConnect version across fleet
Entra Conditional Access + VPN	CA policies may block VPN if device compliance not met — could lock out users	Start with permissive CA policy, tighten in pilot
MFA transition	Users currently on Okta Verify must transition to Authenticator/FIDO2	Parallel MFA enrollment period before cutover
Rollback path	If SAML fails, must be able to revert to Okta RADIUS quickly	Keep Okta RADIUS active during pilot — dual-path config

Item

Risk

Mitigation

ISE 3.2 SAML IdP proxy

Feature may be limited or absent in 3.2 — full SAML IdP proxy was enhanced in 3.3

Verify in ISE 3.2 admin guide. If absent, ISE acts as RADIUS server only and ASA talks SAML directly to Entra.

ASA SAML + ISE RADIUS hybrid

If ISE can’t proxy SAML in 3.2, ASA handles SAML directly to Entra, then ISE provides posture/authz via RADIUS

This is the Cisco-documented pattern for ASA + Entra pre-ISE 3.3

AnyConnect embedded browser

SAML requires embedded browser in AnyConnect 4.6+. Older clients fall back to external browser (security concern).

Verify minimum AnyConnect version across fleet

Entra Conditional Access + VPN

CA policies may block VPN if device compliance not met — could lock out users

Start with permissive CA policy, tighten in pilot

MFA transition

Users currently on Okta Verify must transition to Authenticator/FIDO2

Parallel MFA enrollment period before cutover

Rollback path

If SAML fails, must be able to revert to Okta RADIUS quickly

Keep Okta RADIUS active during pilot — dual-path config

Two Architecture Options

Option A: ISE as SAML IdP Proxy (if ISE 3.2 supports it)

AnyConnect → ASA (SAML SP) → ISE 3.2 (SAML IdP Proxy) → Entra ID (SAML IdP)

ISE brokers the SAML exchange
ISE applies posture and authorization inline
Single policy enforcement point

Option B: ASA Direct SAML + ISE RADIUS (Cisco documented pattern)

AnyConnect → ASA (SAML SP) → Entra ID (SAML IdP)
                ASA → ISE (RADIUS) → posture/authz

ASA handles SAML authentication directly with Entra
ISE provides post-auth authorization and posture via RADIUS
DAP (Dynamic Access Policy) on ASA maps SAML attributes to tunnel groups
This is the well-documented pattern for ASA + Azure AD/Entra

Recommendation: Validate Option A first (cleaner). Fall back to Option B if ISE 3.2 SAML proxy is insufficient.

Dependencies

Entra ID Global Admin or Application Admin access for app registration
ISE 3.2 admin access — verify SAML IdP configuration pages exist
ASA admin access — config-webvpn mode
AnyConnect version audit — minimum 4.6 for embedded browser SAML
Okta admin access — for RADIUS agent decommission timeline
Certificate authority — SAML signing certs (ISE, Entra, ASA trust chain)
Change request — CR for production cutover
Lab environment — d000 with ASA, ISE, Entra test tenant

Field	Value
PRJ ID	PRJ-2026-06-asa-vpn-okta-to-entra
Author	Evan Rosado
Created	2026-06-02
Updated	2026-06-02
Status	Draft
Category	Infrastructure / Identity Migration
Priority	P1
ISE Version	3.2
Source IdP	Okta (RADIUS)
Target IdP	Microsoft Entra ID (SAML 2.0)
VPN Platform	Cisco ASA
Dependencies	Entra ID tenant, ISE 3.2 SAML config, ASA SAML SP config, Okta decom plan

Field

Value

PRJ ID

PRJ-2026-06-asa-vpn-okta-to-entra

Author

Evan Rosado

Created

2026-06-02

Updated

2026-06-02

Status

Draft