Install the Okta RADIUS agent Skip to main content
https://support.okta.com/help/oktaarticledetailpage?childcateg=&id=ka02a0000005ujcsaa&source=documentation&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fdocumentation%2fknowledge_article%2finstall-the-okta-radius-agent-1160955325
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Average Rating:
Install the Okta RADIUS agent
Published: Jan 31, 2018   -   Updated: May 15, 2018

okta-doc-source

Installing and Configuring the Okta RADIUS Server Agent

The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).

For best practices, see Okta RADIUS Server Agent Deployment Best Practices.

A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. From here, authentication depends on your org's MFA settings.

  • If MFA is not enabled and the user credentials are valid, the user is authenticated.
  • If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (e.g., Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.

The RADIUS App

The RADIUS application is an independent, Okta-developed app that allows for access control on multiple RADIUS configurations. This option also provides the ability to create policy and assign RADIUS authentication to groups of users. For details on this app, see Okta RADIUS App.

Supported Operating Systems

The Okta RADIUS agent can be installed on the following Windows Server versions:

  • Windows Server 2003 R2
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Core – If you are using this version for your installation, please take special note of step 9 below.
  • Windows Server 2012R2
Upgrading to Version 2.2.0 and later and SSL Pinning

RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, providing an extra layer of security. SSL pinning is not enabled by default for current users upgrading to the new agent. If upgrading from an agent version prior to v2.2.0, please, do the following after the upgrade.

Warning: The following steps should not be performed for agents on a network containing a web security appliance.

  1. Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
  2. From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.
  3. Append the following line to the end of the file: ragent.ssl.pinning = true
  4. Save the file.
  5. Restart the Okta RADIUS Agent service using the available Windows administrative tools.

This process restricts agent communication to only servers which can present valid certificates with public keys known to the new agents.

Note: See below for information on other configuration properties settings.

Installing the Okta RADIUS Agent

To start, all you need are your Okta administrator credentials.

  1. From your Administrator Dashboard, select Settings > Downloads > Okta RADIUS Server Agent.

  2. Click the Download button and run the Okta RADIUS installer.

  3. Proceed through the installation wizard to the "Important Information" and "License Information" screens.

  4. Choose the Installation folder and click the Install button.

  5. On the Okta RADIUS Agent Configuration screen, enter your RADIUS Shared Secret key and RADIUS Port number. If you are using the RADIUS application, these elements are not required.

  6. On the Okta RADIUS Agent Proxy Configuration screen, you can optionally enter your proxy information. Click the Next button.

  7. On the Register Okta RADIUS Agent screen, enter the following: Choose your org version.

  8. If setting this up to test on your Okta Preview Sandbox org, you'll need to enter the complete URL for your org. For example: https://mycompany.oktapreview.com

    • Enter Subdomain – For example, if you access Okta using https://mycompany.okta.com, enter "mycompany", as described below.
  9. (Windows Server 2008 R2 CoreONLY) Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.

    configuring_radius_agent_1

  10. Click the Next button to continue on to an Okta Sign In page.
  11. Sign into Okta on the Sign In screen.
  12. Click the Allow Access button.
  13. configuring_radius_agent_3

  14. The confirmation screen appears. Click the Finish button to complete the installation.

Additional Property Configurations

You can override the defaults on the following properties, if desired.

  1. Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
  2. From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.
  3. Configure any of the properties shown below, as desired.
  4. When done, save the file.
  5. Any changes are effective after restarting the Okta RADIUS Agent service using the available Windows administrative tools.
PropertyDescriptionDefault
ragent.num_max_http_connectionThe maximum number of HTTP connections in the connection pool20
ragent.num_request_threadsThe number of authentication worker threads available for processing requests15
ragent.total.request.timeout.millisecondThe maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client60,000
ragent.okta.request.max.timeout.millisecond

The socket timeout to set on the Okta API request. This property only applies if configured; otherwise, it is computed dynamically based on the total request timeout setting.

Example: If the agent times out after 90 seconds, add the following line to the config file:

ragent.mfa.timeout.seconds = 28800

Dynamic, based on remaining TTL for request
ragent.request.timeout.response.modeThe timeout response mode. Possible values are SEND_REJECT_ALWAYS, SEND_REJECT_ON_POLL_MFA, and NO_RESPONSE.SEND_REJECT_ON_POLL_MFA
Checking Your Logs

Depending on where you installed the Okta RADIUS Agent, data logs can be accessed from Program Files (x86)\Okta\Okta RADIUS agent\current\logs.

Increasing the logging level:

  1. Open the log4j.properties file from the installation folder C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\user\config\radius\.
  2. Change all three instances of info to debug. Once updated, the instances should look like the following:
    • log4j.logger.app=debug, app
    • log4j.logger.access=debug, access
    • log4j.rootLogger=debug, app, stdout
Managing the Okta RADIUS Agent

You can open the Okta RADIUS Agent Manager to make changes to the Shared Secret, RADIUS Port, and Proxy settings by going to Programs > Okta RADIUS Agent Manager.

Uninstalling and Reinstalling the RADIUS Agent

When you uninstall and reinstall your RADIUS agent, you must decide whether or not you also want to remove the old Okta API token from your system. If you are performing an upgrade, you are not required to do so. To remove the API token, you must delete the Okta RADIUS Agent folder, and deactivate and remove your old RADIUS agent.

Uninstalling the RADIUS Agent

Do the following:

  1. On your Windows desktop, select Start > Control Panel > Programs > Programs and Features.
  2. Select the Okta RADIUS Agent, and then select Uninstall.
  3. Uninstalling your RADIUS agent leaves the agent configuration data on your hard drive. To remove the configuration data, go to \Program Files (x86)\Okta and delete the Okta RADIUS Agent folder. Deleting this folder removes the agent configuration data and the API Token from your hard drive. The API token for the server is still valid in Okta so it is important to remove the configuration data.

Reinstalling the RADIUS Agent

Installing the RADIUS agent does not overwrite the configuration data in the Okta RADIUS Agent folder. If you want to reinstall and create a new API token, make sure you delete the Okta RADIUS Agent folder (as described above) before you reinstall the RADIUS agent. Then perform the procedure in Installing the Okta RADIUS Agent.

Troubleshooting

The RADIUS agent is not receiving traffic or authentication is failing.

The RADIUS agent must be able to listen on the UDP ports that are being used by your RADIUS clients. Firewalls can impede that communication if the necessary ports are not open. If you are unable to authenticate over RADIUS, please verify that all firewalls, including any Windows firewalls, are not filtering this traffic. The standard utilized port is UDP 1812, but other ports can be used.

Post a Comment