Integrating OKTA Radius Agent with strongSwan? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Kyle SeeverKyle Seever 

Integrating OKTA Radius Agent with strongSwan?


I am trying to integrate strongSwan (v5.3.5) with the Okta RADIUS Agent (v2.7.0) and am having difficulties lining up all of the protocols involved. The native macOS VPN client wants to use IKEv2 with EAP, but the documentation for the Okta agent ( notes that it only supports PAP. The eap-radius ( plugin exists to bridge these protocols, only it forwards the EAP conversation to the AAA via the EAP-Message AVP within the RADIUS protocol. A builtin XAuth ( backend makes it seem as if it should adapt EAP to PAP by sending plain XAuth creds via PAP in the User-Name and User-Passowrd AVPs to the RADIUS backend. However, I haven't had any success in getting strongSwan to speak PAP instead of EAP back to the agent.

I'm pretty sure I'm misunderstanding some part of the EAP/PAP/XAuth/RADIUS exchange. Has anyone had success integrating with strongSwan in a similar configuration? What are my options since the agent doesn't support EAP?

Thanks in advance,
Nate QuesadaNate Quesada (Okta, Inc.)
Hi Kyle,

Unfortunately, this is not supported in the manner you're suggesting although our Professional Services team mentioned that you may be able to accomplish what you're looking to do by leveraging the FreeRADIUS utility to proxy these requests. I think you're best bet, though, will be strongSwan support.

Sorry we can't be more helpful. I hope you are able to find a way to make this work.