Aviatrix User VPN Gateway supports Okta authentication as part of multi-factor authentication for OpenVPN® access.
Follow these steps to configure Okta authentication and MFA on a User VPN Gateway in your environment:
- Obtain an API token from your Okta account
- Create a new Aviatrix VPN Gateway
- Create VPN Users for this Aviatrix Gateway
- Test connectivity
Currently, Okta authentication can only be enabled when the Aviatrix Gateway is created. It cannot be changed after the Gateway has been provisioned. This will be addressed in a future version.
Obtain API Token from Okta¶
Follow the steps outlined in the Okta documentation to create a new API token.
Log in into your Okta account as a Super Admin. This allows the privilege to create a Token for API access.
Go to Security > API and click the Create Token button. Give the token a name (for example, Aviatrix).
Create Aviatrix VPN Gateway¶
Follow the steps in this guide to create a new Aviatrix VPN gateway.
Under MFA Authentication select Okta from the dropdown options.
Enter details about your Okta environment:
Field Description URL Your Okta account login URL. (For example, https://aviatrixtestaccount.okta.com) Token The token value you copied earlier Username Suffix
If provided, the VPN username will be the account ID without the domain name.
For example, if your Okta account is email@example.com and aviatrix.com is your Username Suffix, the VPN username be demoaviatrix.
If no value is provided for this field, you must enter the full username including domain name (for example, firstname.lastname@example.org).
Login to your Aviatrix Controller
Expand OpenVPN and select VPN Users
Click + Add New button
Select the VPC (or VNet) where the VPN was created in the previous step
Select the Aviatrix Gateway or Load Balancer
Enter the username.
This username must match the username in Okta.
(Optional) Enter the user’s email where the .ovpn file will be emailed.
If an email is not provided, users will need to download their .ovpn file from the Controller.
(Optional) Select a profile for this user
Use the .ovpn file emailed to your test account or download it from Aviatrix VPN Users
Add the configuration to your VPN client
Connect and login
Since Aviatrix Okta authentication uses API authentication, it uses the default sign on policy of Okta. If you have configured Multi factor Authentication in Okta, then during VPN login, the end user needs to append his MFA token to the password during authentication.
OpenVPN is a registered trademark of OpenVPN Inc.