Phase 8: Okta RADIUS Decommission

Soak Period

2 weeks post-cutover — no RADIUS auth attempts to Okta agent
Verify in Okta admin: VPN app shows zero authentications
Verify on ASA: no references to Okta RADIUS server group in active config

Decommission Steps

Step	Action	Status
1	Remove Okta RADIUS server group from ASA config	[ ]
2	Remove Okta RADIUS agent from server (uninstall)	[ ]
3	Disable/delete VPN application in Okta admin console	[ ]
4	Remove Okta RADIUS firewall rules (if dedicated)	[ ]
5	Update CMDB — remove Okta RADIUS agent entry	[ ]
6	Update network diagrams — Okta removed from VPN auth flow	[ ]
7	Close change request	[ ]

Step

Action

Status

Remove Okta RADIUS server group from ASA config

[ ]

Remove Okta RADIUS agent from server (uninstall)

[ ]

Disable/delete VPN application in Okta admin console

[ ]

Remove Okta RADIUS firewall rules (if dedicated)

[ ]

Update CMDB — remove Okta RADIUS agent entry

[ ]

Update network diagrams — Okta removed from VPN auth flow

[ ]

Close change request

[ ]

ASA Cleanup

! Remove Okta RADIUS references
no aaa-server OKTA-RADIUS protocol radius
no aaa-server OKTA-RADIUS (<interface>) host <okta-agent-ip>

! Verify no orphaned references
show running-config | include OKTA
show running-config | include okta

write memory

Documentation Update

Update VPN architecture diagram — Entra replaces Okta
Update runbook — VPN troubleshooting now references Entra sign-in logs, not Okta
Update on-call playbook — new auth flow for VPN issues