Can you restrict the users can authenticate via RADIUS? Skip to main content
https://support.okta.com/help/answers?id=9062a000000bm7fqaq&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Michael MongeauMichael Mongeau 

Can you restrict the users can authenticate via RADIUS?

We are using a Microsoft Forefront TMG server as a RADIUS client to protect some internal web sites.  The audience for these web sites is a small subset of the valid users in Okta.  The current Okta RADIUS agent does not support group membership.  Is there any other way to restrict the users can authenticate via RADIUS, such as security policy?

Thanks,

 Michael
 
Wils DawsonWils Dawson (Okta, Inc.)
Hi Michael,

You can restrict authentications to Okta via RADIUS in the Okta Sign On Policy (https://support.okta.com/help/articles/Knowledge_Article/99245886-Configuring-Sign-On-Policies). Note this is for getting a new Okta session, not logging into a specific app managed by Okta. If that fits your use case, you'll want to setup policies something like:

1. Policy for Approved RADIUS users (assigned to "RADIUS Approved" group)
a) Allow RADIUS rule
IF User located ANYWHERE
AND Authenticating via RADIUS
THEN Allow access
2. Policy for Everyone else (assigned to "Everyone")
a) Deny RADIUS rule
IF User located ANYWHERE
AND Authenticating via RADIUS
THEN Deny access
b) Other access rule
IF User located ANYWHERE
AND Authenticating via ANY mechanism
THEN Allow access

In this way users in the "RADIUS Approved" group will be allowed to create an Okta session via RADIUS, while everyone else will not. The users in the "RADIUS Approved" group will fall through to the "Other access rule" when they are not logging in via RADIUS and be allowed, in this case. You could also require MFA, have more complex rules around network segments, and many more things with additional rules and policies.

Hopefully that helps,
Wils
Michael MongeauMichael Mongeau
This may work.  Only users in the "RADIUS Approved" group will be allowed to authenticate via RADIUS, and users in that group will also be allowed to authenticate normally to access other applications they may be granted.  I will do some testing of these policies in our preview org.

Thanks,

 Michael