Installing and Configuring the Okta RADIUS Server Agent
The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).
For best practices, see Okta RADIUS Server Agent Deployment Best Practices.
A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. From here, authentication depends on your org's MFA settings.
Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.
The RADIUS App
The RADIUS application is an independent, Okta-developed app that allows for access control on multiple RADIUS configurations. This option also provides the ability to create policy and assign RADIUS authentication to groups of users. For details on this app, see Okta RADIUS App.
Supported Operating Systems
The Okta RADIUS agent can be installed on the following Windows Server versions:
Upgrading to Version 2.2.0 and later and SSL Pinning
RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, providing an extra layer of security. SSL pinning is not enabled by default for current users upgrading to the new agent. If upgrading from an agent version prior to v2.2.0, please, do the following after the upgrade.
Warning: The following steps should not be performed for agents on a network containing a web security appliance.
This process restricts agent communication to only servers which can present valid certificates with public keys known to the new agents.
Note: See below for information on other configuration properties settings.
Installing the Okta RADIUS Agent
To start, all you need are your Okta administrator credentials.
(Windows Server 2008 R2 CoreONLY) Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.
Additional Property Configurations
You can override the defaults on the following properties, if desired.
Checking Your Logs
Depending on where you installed the Okta RADIUS Agent, data logs can be accessed from Program Files (x86)\Okta\Okta RADIUS agent\current\logs.
Increasing the logging level:
Managing the Okta RADIUS Agent
Uninstalling and Reinstalling the RADIUS Agent
When you uninstall and reinstall your RADIUS agent, you must decide whether or not you also want to remove the old Okta API token from your system. If you are performing an upgrade, you are not required to do so. To remove the API token, you must delete the Okta RADIUS Agent folder, and deactivate and remove your old RADIUS agent.
Uninstalling the RADIUS Agent
Do the following:
Reinstalling the RADIUS Agent
Installing the RADIUS agent does not overwrite the configuration data in the Okta RADIUS Agent folder. If you want to reinstall and create a new API token, make sure you delete the Okta RADIUS Agent folder (as described above) before you reinstall the RADIUS agent. Then perform the procedure in Installing the Okta RADIUS Agent.
The RADIUS agent is not receiving traffic or authentication is failing.
The RADIUS agent must be able to listen on the UDP ports that are being used by your RADIUS clients. Firewalls can impede that communication if the necessary ports are not open. If you are unable to authenticate over RADIUS, please verify that all firewalls, including any Windows firewalls, are not filtering this traffic. The standard utilized port is UDP 1812, but other ports can be used.