Phase 0: Pre-Work

Phase 0: Pre-Work

Current State Inventory

  • Document current Okta RADIUS agent config (host, ports, shared secret location)

  • Document current ASA VPN config (show run tunnel-group, show run webvpn)

  • Document current ISE RADIUS policy for VPN (show policy set, authz rules)

  • Count active VPN users (ASA: show vpn-sessiondb anyconnect)

  • Identify VPN connection profiles and tunnel groups in use

  • Identify DAP policies on ASA

  • AnyConnect version audit across fleet

  • Document current MFA method (Okta Verify push/TOTP)

Entra ID Preparation

  • Identify Entra tenant and admin access

  • Create Entra security group for VPN users (SG-VPN-Users or equivalent)

  • Verify user accounts synced to Entra (AD Connect / Cloud Sync)

  • Plan MFA enrollment for Authenticator (parallel with Okta Verify)

ISE 3.2 Verification

Critical — verify before architecture commitment.

  • Log into ISE admin → Administration → Identity Management → External Identity Sources

  • Check if "SAML Id Providers" option exists (ISE 3.2 may have limited support)

  • Check ISE 3.2 release notes for SAML IdP proxy support

  • If absent: architecture falls back to Option B (ASA direct SAML + ISE RADIUS)

ISE 3.2 SAML verification commands
! ISE CLI — check version
show version
show application status ise

! ISE Admin GUI path:
! Administration > Identity Management > External Identity Sources > SAML Id Providers
! If this menu exists → Option A viable
! If absent → Option B (ASA direct to Entra)

Lab Environment

  • Lab ASA available (or ASAv)

  • Lab ISE 3.2 node available

  • Entra test tenant or dev tenant configured

  • AnyConnect test client ready

  • Lab network allows SAML redirects (HTTPS outbound to login.microsoftonline.com)