Phase 7: Production Cutover

Phase 7: Production Cutover

Prerequisites

  • Pilot completed — 5 business days, zero auth failures

  • Change Request approved (CR-2026-XX-XX-asa-vpn-saml-cutover)

  • User communication sent — 2 weeks notice

  • MFA enrollment verified for all VPN users

  • AnyConnect version >= 4.6 confirmed fleet-wide

  • Rollback plan documented and tested

Cutover Steps

! 1. Verify current state
show running-config tunnel-group
show vpn-sessiondb summary

! 2. Modify existing tunnel group to SAML
tunnel-group <production-tunnel-group> webvpn-attributes
 authentication saml
 saml identity-provider https://sts.windows.net/<tenant-id>/

! 3. Remove pilot tunnel group
no tunnel-group VPN-SAML-PILOT

! 4. Verify
show webvpn saml idp
show running-config tunnel-group <production-tunnel-group>

! 5. Save
write memory

Rollback (Emergency)

If critical auth failures occur:

! Revert to RADIUS auth
tunnel-group <production-tunnel-group> webvpn-attributes
 authentication aaa
 no saml identity-provider
write memory

! Verify Okta RADIUS still responds
test aaa-server authentication <okta-radius-group> host <okta-agent-ip> username <test> password <test>

Post-Cutover Validation

  • show vpn-sessiondb anyconnect — sessions using SAML auth

  • ISE live logs — SAML identity source hitting correctly

  • Entra sign-in logs — VPN app showing successful auths

  • Monitor for 48 hours — auth failures, MFA issues, user complaints

  • Confirm: no RADIUS auth attempts to Okta agent (should be zero)