Configuring RADIUS applications in Okta Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ugisaa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fconfiguring-radius-applications-in-okta-1873386334
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Configuring RADIUS applications in Okta
Published: Jan 31, 2018   -   Updated: Jun 22, 2018

okta-doc-source

Configuring RADIUS applications in Okta

This is an Early Access feature. To enable it, please contact Okta Support.

Okta RADIUS support can distinguish between different RADIUS-enabled apps and support them concurrently by setting up an Okta RADIUS app for each configuration. Additionally, the Okta RADIUS application supports policy creation and then assigning RADIUS authentication to groups.

RADIUS-enabled apps are easy to manage, as Admins can manage all of these apps and infrastructure configurations from the Okta Admin Console. It is no longer necessary to make changes on the Okta RADIUS Agent server itself adding security as well as convenience.

Prerequisite: To use the Okta RADIUS application, you must install the Okta RADIUS agent v. 2.5.0 or later. As this is an early-access feature, ask Okta Support for the new agent when you request the feature. To obtain the agent, navigate to Settings > Downloads and select the Download link next to the RADIUS application.

Okta RADIUS App Features

Support for multiple RADIUS enabled apps and infrastructure

Each app and infrastructure component, such as VPNs, can be configured differently through the same Okta RADIUS Agent, because the improved RADIUS agent can listen to multiple distinct ports for separate RADIUS configurations; for example, Cisco AnyConnect uses RADIUS UDP port 1812 and another on-prem app could use RADIUS UDP port 1813.

User and group specific configurations

Because of the new app model, you can limit access to specific users and groups as needed the same way you can restrict access to any app. Admins can restrict access to RADIUS enabled apps and infrastructure to specific groups of users instead of all Okta users

Pass group ownership to RADIUS applications

Okta can now pass a list of all groups a user belongs to a RADIUS-enabled app or infrastructure. This allows admins to support fine-grained authorization with different levels of access and security based off the group membership of users.

Provide multifactor authentication and security based on IP addresses

By resolving the IP address of the client attempting to connect to a RADIUS-enabled app or infrastructure admins can adjust levels of access depending on whether a user is within a certain IP range or network zone. For more information on ranges and zones, see Network.

Centralized, Cloud-Based Configuration

Administrators can manage all of their RADIUS-enabled apps and infrastructure configurations from the Okta Admin Console, without making changes on the Okta RADIUS Agent server itself.

2FA Only (Passwordless Mode)

You can configure a RADIUS-enabled app to only use the second factor in multifactor authentication. This is also known as passwordless mode.

When configuring the app, uncheck the box Okta performs primary authentication. The screenshot shown below shows the default configuration, which is not 2FA only. Additionally, the UDP port must be unique. Be sure to verify the Application username format when enabling 2FA mode.

radius_2fa

There are three limitations on the Okta RADIUS application.

  1. The RADIUS port and shared secret are captured from the Okta Admin Console through any configured RADIUS applications or VPNs. Any information entered from prompts from the RADIUS agent is available if an org enables the feature after the information is entered.
  2. WiFi infrastructure is not supported.
  3. The RADIUS agent only supports PAP-based authentication. No other protocols are supported.

There are four required steps and two optional steps to upgrade the agent and add a RADIUS application.

Step 1 – Adding the RADIUS App

Adding the RADIUS app is like adding any other app in Okta.

  1. From Applications menu, choose Applications.
  2. On the Applications page, click the Add Application button
  3. In the left-side search field, enter the keyword RADIUS.
  4. From the resulting list, choose RADIUS App by clicking the Add button.

    Note: When creating app instances, each app name must be unique.

  5. Follow the prompts to complete app creation.

Configuring the RADIUS App

Once created, you'll land on the page for the app, as shown below.

  1. Click the Sign On tab.

    GenericRadius

  2. Go through the configuration, noting the following elements:

    Settings

    • Authentication: Retaining this default button allows Okta to perform primary authentication.
    • UDP Port: Each RADIUS app has a unique number. Enter it in this required field.
    • Secret Key: In this required field, enter the secret key that will be used to encrypt and decrypt the user password. This key must be identical to what is configured on the VPN server.
    • Application username format: Choosing from this drop-down menu determines how the RADIUS client sends in the username.
    • Password Reveal: Check this if you want your users to securely see their password.

    Advanced RADIUS Settings

    • Report client IP: Some VPN gateways forward the IP addresses of clients that are connecting to them in certain RADIUS attributes during an authentication request. If you select this option, Okta can pick this IP from the request attribute and use it for logging and policy evaluation.
    • Include groups in RADIUS response: If you select this option, Okta can pass group information, in a successful authentication response, in the specified RADIUS attribute. Some VPN gateways can use the authenticated user’s group information for more access control.
    • Accept password and security token in the same login request: If want to include both a password and an MFA factor in the request, check this box.

    Sign on Policy

    A default rule exists for the app to allow access to anyone assigned the app from anywhere. Click the Add Rule button to change and add to the default rule.

Step 2 – Configure the RADIUS agent

Install RADIUS agent 2.5.0 or later that you downloaded. Earlier versions of the RADIUS agent do not support the new features. For information on installing the RADIUS agent, see Installing and Configuring the Okta RADIUS Agent.

Important: During the agent installation, you might be prompted to enter a RADIUS Shared Secret and a RADIUS port. These values are no longer used; you can enter anything in these fields. These values are no longer used for orgs that have this feature enabled; however, any information entered from these prompts is used for backwards compatibility when an org does not have the feature enabled.

Step 3 – Configure a RADIUS-enabled application

Configure your specific application to point to the Okta RADIUS Agent server to handle RADIUS authentication requests.

Although this will vary based on your specific application or infrastructure, it typically requires:

  • Enabling RADIUS as an authentication method in your app or infrastructure
  • Specifying the hostname or IP address of the Okta RADIUS Server
  • Specifying the port that will be used – this should match the same port that you chose in the RADIUS App setup in Okta.
  • Choosing the RADIUS authentication type – currently the Okta RADIUS Agent only supports PAP authentication.

For more information, please refer to your vendor’s documentation and locate any content pertaining to RADIUS setup.

Step 4 – Validating the app setup

After configuring an on-prem app, VPN, or Amazon Workspaces, validate the integration using any of the following processes:

  • Logging into the app or infrastructure using the Okta username and password. Remember the username format be in the format chosen on the app..
  • Depending on your configuration, Okta will be then used for primary or secondary authentication.
  • Confirm that users who are not assigned to the application should not be able to gain access or be prompted for a second factor.
  • If multiple apps and infrastructure are setup to the same Okta RADIUS Agent, then all should be able to operate at the same time over separate RADIUS ports.
Step 5 – Client IP Reporting [optional]

If desired, you can configure Okta to enforce, restrict, or provide different levels of access depending on the IP address or network zone of users accessing your RADIUS-enabled system. The following steps outline this process.

After completing the following procedure to enable client-ip resolution, you can define network zones by location or IP address and use them in sign-on policies to provide access, enforce MFA, or block access. For more information, see IP Zones.

  1. To utilize this feature you must first configure Network Zones in your Okta tenant. To set up a zone, complete the following:
    • Navigate to Security > Network and choose Add Zone > IP Zone.
    • Provide a name.
    • In the Gateway IPs field, specify the IP ranges with which your users will authenticate to your RADIUS-enabled systems (their client IPs).
    • In the Proxy IPs field, specify the public-facing IP address of the RADIUS Agent server that will proxy each RADIUS request.

      Note: To use geolocation capability, create a network zone that only specifies proxy IPs.

    • For more details on setting up IP zones, see Network.
  2. Find the application you would like to enable this feature for from the Applications page in the Okta Dashboard. Select the app to open up the app configuration page.
  3. Navigate to the Single-Sign On page and locate the Advanced RADIUS Settings section towards the bottom of the page. Select Edit.
  4. Check Report Client IP.
  5. Choose the RADIUS attribute that your RADIUS-enabled system uses to pass the client-IP address.
    • This can vary from vendor to vendor so if you are unsure of which attribute to choose, try to identify this information from your vendors technical instructions or contact their technical team for help.
    • The most common attribute used for this information is 31 Calling Station ID so that may be a good place to start if you are unsure.
    • You may also use the table below that references the attributes used by a few common vendors for help.

      Typical RADIUS Attributes Used for Client IP Common Vendors
      Cisco31 Calling Station ID
      Juniper31 Calling Station ID
      Citrix Netscaler31 Calling Station ID
      F531 Calling Station ID
      Palo Alto Networks26 Vendor Specific: “PaloAlto-Client-Source-IP”
  6. Finally, in the Sign On Policy section at the bottom of the page, choose Add Rule and create policies that allow, block, or require MFA based off of the network zones you created in step 1.
Step 6 – Use Okta group membership information for authorization [optional]

You can configure Okta to provide different levels of authorization and access based on the groups to which users belong for a RADIUS-enabled service. Use the following procedure for each app to configure by group membership.

  1. Navigate to an application you would like to enable this feature for from the Applications page in the Okta Dashboard and select Sign On.
  2. On the sign-page for the app select Edit in the Advanced RADIUS Settings section towards the bottom of the page.

Steps 3-6 refer to the screen shown below.

okta_radius_app_1

  1. Check Include groups in RADIUS response.
  2. In the RADIUS attribute drop-own list, choose the attribute that you want Okta to pass this group information through to your specific app or infrastructure. Currently,the available coices are 11 Filter-ID and r25 Class. These values are the most widely accepted attributes to pass group information through to most vendors. If you are unsure which to choose, consult your vendor’s technical reference documentation or contact their technical team.
  3. Specify the Okta groups that you want to include in the RADIUS response if a user belongs to them.

    Note: This means that if a user belongs to four groups, but you only list two of the four in this field, Okta will only pass the two groups to your RADIUS-enabled app. Likewise, if your user doesn’t belong to either of the two groups you listed in this field then Okta will not return any group for that specific user.

  4. Configure the Response Format and Group Name Format you would like to use to pass this information along to your RADIUS application or infrastructure. Like the RADIUS attribute, this can vary depending on your setup and the specific vendor’s hardware. For help in configuring this setting, contact the vendor’s technical support team.

After successfully completing this configuration, Okta passes group membership information to your RADIUS enabled app or system. You can now log into your app or infrastructure and configure its action based on these specific groups.