Configuring the On-Prem MFA Agent Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ugssaa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2fconfiguring-the-on-prem-mfa-agent-884154212
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Configuring the On-Prem MFA Agent
Published: Jan 31, 2018   -   Updated: May 15, 2018

okta-doc-source

Configuring the On-Prem MFA Agent (including RSA SecurID)

The Okta On-Prem MFA agent (formerly named the RSA SecurID agent) acts as a RADIUS client and communicates with your RADIUS enabled on-prem MFA server, including RSA Authentication manager for RSA SecurIDs. This allows your organization to leverage second factor challenges from a variety of on-premises multifactor authentication tools.

Note: If you are currently using theRSA SecurID agent (v. 1.1.0 or below) you should upgrade to the latest version of the On-Prem MFA agent at your earliest convenience. For the latest version and version history, see Okta On-Prem MFA Agent Version History.

Supported Operating Systems

The Okta On-Prem MFA agent can be installed on the following:

  • Windows Server 2008 R2
  • Windows Server 2008 R2 Core – If you are using this version for your installation, please take special note of step 6 under Installing the Agent.
  • Windows Server 2012 R2

Before You Begin

Before setting up the On-Prem MFA agent within Okta, set up the RADIUS server settings for your secure OAuth vendor.

Enabling the Agent

To enable the On-Prem MFA agent or RSA SecurID, complete the following steps:

  1. From your Administrative Dashboard, Security > Multifactor.
  2. Click the Factor Types tab.
  3. Click the Edit button. The On-Prem MFA factor is not selectable at this time, unless you have set up this factor previously. Select either the RSA SecurID link or the Custom link to continue; the boxes are not selectable, unless you have set up the factor previously.
For RSA SecurID
  1. In the RSA Security Console, click RADIUS> RADIUS Clients> Add New.
  2. Enter Client Name.
  3. Do not Select Any Client.
  4. In the IP Address Type field, select the RADIUS client IP address type that is required by your agents.
  5. Select IPv4 or IPv6.
  6. In the IPvX Address field, enter the IP address of the okta MFA client.
  7. In the Make/Model drop-down list, select the Standard Radius type of RADIUS client.
  8. In the Shared Secret field, enter: yoursecretpassphrasehere.
  9. Select Client Status.
  10. a. Inactivity Time = 10 (suggested value from RSA).

  11. In the Notes field, enter whatevernotesyouwanttoputinRSA.
  12. Click Save and Create Associated RSA Agent.
  13. On the next screen, click Save Agent.

Repeat as needed for backup servers.

For Custom
  1. Click the On-Prem MFA link in the Configure information box.
  2. On the On-Prem MFA page, click the Edit button in the On-Prem Multifactor Authentication Settings section.
  3. Enter the on-prem provider name.
  4. Select the preferred provider username format.
  5. Enter the Hostname, Authentication port, and Shared secret fields.
  • Custom On-prem provider name: This is the name that appears to end users during their login challenge.
  • Provider username format: Select the format expected by the provider.
  • Hostname: The server host name or IP address.
  • Authentication Port: The RADIUS server port (e.g., 1812). This is defined when the On-Prem RADIUS server is configured.
  • Shared Secret: An authentication key that must be defined when the RADIUS server is configured, and must be the same on both the RADIUS client and server.
  1. Click the Add New Agent link.
  2. Click the Save button.

Disabling SSL Pinning

The following is applicable only to On-Prem MFA agent versions 1.3.0 or later.

Note: For agents on a network containing a web security appliance, it might be necessary to disable SSL pining.

  1. Open the folder where the Okta RSA agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RSA Agent\ OR C:\Program Files (x86)\Okta\Okta On-Prem MFA Agent\
  2. From this folder, navigate to current\user\config\rsa-securid\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\rsa-securid\config.properties residing in the Okta RSA agent installation folder.
  3. At the end, append the following line: ragent.ssl.pinning = false
  4. Save the file.
  5. Restart the Okta On-Prem MFA Agent service using the available Windows administrative tools.
Using Proxy Server Support

The On-Prem MFA agent (v 1.3.3 or later) does allow for proxy configuration with your RADIUS enabled on-prem MFA server, including RSA Authentication manager for RSA SecurIDs. For users not interested in proxy support, proceed to Installing the Agent below.

Installing the Agent

  1. Run the On-Prem MFA agent installer.
  2. Click Next through the "Important Information" and "License Information" screens.
  3. Choose your installation folder, taking note of the installation path. It will be needed later in the process.
  4. Click the Install button.
  5. On the Okta On-Prem Agent Configuration screen, enter your Instance ID. This is accessible from the On-Prem Multifactor Authentication Settings page in the Okta app (see The Custom Option under Enabling the Agent above).
  6. Click the Next button through the process until the Okta Sign In page appears.
  7. Leave the Okta Sign In page without signing in and open a File Explorer window.
  8. From File Explorer, locate and navigate to your config.properties file (for example <AGENT_INSTALL_PATH>\current\user\config\rsa-securid\config.properties))
  9. Open the config.properties file in your favorite text editor.
  10. Add your proxy configurations to the bottom of this file. Example keys are proxyAddress, proxyUsername, or proxyPassword.

The following is a simple configuration for a proxy with an http protocol host of 127.0.0.1 and a port of 3128.

ProxyExample

Note: If all the properties occur on a single line, simply add your proxy settings beneath it.

  1. Save the file.
  2. Sign into Okta on the Sign In screen.
  3. Click the Allow Access button.
  4. Bring the installer to the front to view completion of the install.
  5. The Installation Completed screen appears. If not, see Troubleshooting below.
  6. Click the Finish button to complete the installation.

Upgrading From an Existing MFA-Agent

  1. From your File Explorer navigate to your existing installation folder.
  2. Open the file with your favorite text editor at C:\Program Files (x86)\....\Okta On-Prem MFA Agent\ current\user\config\rsa-securid\config.properties.
  3. Add your proxy configurations to the bottom of this file. Example keys are proxyAddress, proxyUsername, or proxyPassword.

The following is a simple configuration for a proxy with an http protocol host of 127.0.0.1 and a port of 3128.

ProxyExample

Note: If all the properties occur on a single line, simply add your proxy settings beneath it.

  1. Save this file and run the installer for MFA-Agent 1.3.2.
  2. When the installation completes, an installation completed message appears. If not, see Troubleshooting below.

Troubleshooting

If your installation was not successful with either the fresh installation or after an upgrade, see the following.

For a fresh installation

Reconfirm your proxy settings OR

Retry using sslPinningEnabled = false (Warning: only use this option if you are confident in how this works).

For upgrade installation

If you enter proxy properties that are inaccurate, the installer may appear to succeed, but the agent will eventually fail. To verify these properties, look for the last connected timestamp on your list of agents in the Okta Administrator Dashboard.

Installing the Agent

  1. Run the On-Prem MFA agent installer.

  2. Click Next through the "Important Information" and "License Information" screens.

  3. Choose your installation folder and click Install.

  4. On the Okta On-Prem Agent Configuration screen, enter your Instance ID. This is accessible from the On-Prem Multifactor AuthenticationSettings page in the Okta app (see The Custom Option under Enabling the Agent above).

  5. Configure the settings in the Register Okta On-Prem MFA Agent dialog box as follows:

Note: If setting this up to test on your Okta Preview Sandbox org, you'll need to enter the complete URL for your org. For example: https://mycompany.oktapreview.com.

On-Prem_2

  1. (Windows Server 2008 R2 Core ONLY Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.

    On-Prem_3

  1. Click the Next button to continue on to an Okta Sign In page.
  2. Sign into Okta on the Sign In screen.

  3. Click the Allow Access button.

  4. The confirmation screen appears. Click the Finish button to complete the installation.

Configuring High Availability

To configure for high availability by installing an additional On-Prem MFA agent, do the following:

  1. From your Administrator Dashboard, select Security > Multifactor > RSA SecurID / On-Prem MFA.
  2. Click the Add New Agent button.
  3. Download the agent with the provided URL, run the installation file, and enter the provided Instance ID when you are prompted to do so.

top

Uninstalling and Reinstalling Your Agent

When you uninstall a RSA SecurID or On-Prem MFA agent, or reinstall a On-Prem MFA agent, you must decide whether or not you also want to remove the old Okta API token from your system. If you are performing an upgrade, you are not required to do so. To remove the API token, you must delete the Okta RSA SecurID Agent or On-Prem MFA Agent folder, and deactivate and remove your old RSA SecurID / On-Prem MFA agent in Okta.

Note: To avoid down time, you must have at least two agents running before you uninstall one. See Configuring High Availability for more information.

top

Uninstalling Your Agent

To uninstall your agent, do the following:

  1. On your Windows desktop, select Start > Control Panel > Programs > Programs and Features.
  2. Select the appropriate agent, and then select Uninstall.
  3. From your Administrator Dashboard, select Security > Multifactor > RSA SecurID / On-Prem MFA.
  4. Click the Deactivate button for the agent you want to deactivate and then click the Delete button to remove it from your system.
  5. Uninstalling your On-Prem MFA agent leaves the agent configuration data on your hard drive. To remove the configuration data, go to \Program Files (x86)\Oktaand delete the Okta RSA SecurID Agent or On-Prem MFA folder. Deleting this folder removes the agent configuration data and the API token from your hard drive. The API token for the server is still valid in Okta so it is important to remove the configuration data.

top

Reinstalling Your Agent

Installing the agent does not overwrite the configuration data in the On-Prem MFAAgent folders. If you want to reinstall and create a new API token, make sure you delete the On-Prem MFA Agent folder, (as described above) before you reinstall the agent. Then perform the following steps to reinstall your agent, then deactivate and remove the old one in Okta:

  1. Perform the procedure described in Installing the On-Prem MFA Agent above.

  2. From your Administrator Dashboard, select Security > Multifactor and then select the RSA SecurID /On-Prem MFA tab.

  3. Under Agents, there is a list of your agents. Confirm that your reinstalled agent is connected to Okta and appears in the list. You should always make sure to have at least one of the agents online.

    If you are performing an upgrade or reinstallation and do not wish to revoke the Okta API token of the old agent, you are finished. Otherwise, proceed to the next step.

  4. Under Agents, click the Deactivate button for the agent you want to deactivate, then test your system to ensure that it is working properly.
  5. Select Security > API, and then click the trash can icon next to the appropriate agent token. See API Tokens for more information.
  6. Select Security > Authentication and then select the RSA SecurID / On-Prem MFA tab again.
  7. Click the Delete button to remove the agent from your system.

Post a Comment