Can you restrict the users can authenticate via RADIUS?
We are using a Microsoft Forefront TMG server as a RADIUS client to protect some internal web sites. The audience for these web sites is a small subset of the valid users in Okta. The current Okta RADIUS agent does not support group membership. Is there any other way to restrict the users can authenticate via RADIUS, such as security policy?
1. Policy for Approved RADIUS users (assigned to "RADIUS Approved" group)
a) Allow RADIUS rule
IF User located ANYWHERE
AND Authenticating via RADIUS THEN Allow access
2. Policy for Everyone else (assigned to "Everyone")
a) Deny RADIUS rule
IF User located ANYWHERE AND Authenticating via RADIUS THEN Deny access
b) Other access rule
IF User located ANYWHERE AND Authenticating via ANY mechanism THEN Allow access
In this way users in the "RADIUS Approved" group will be allowed to create an Okta session via RADIUS, while everyone else will not. The users in the "RADIUS Approved" group will fall through to the "Other access rule" when they are not logging in via RADIUS and be allowed, in this case. You could also require MFA, have more complex rules around network segments, and many more things with additional rules and policies.
This may work. Only users in the "RADIUS Approved" group will be allowed to authenticate via RADIUS, and users in that group will also be allowed to authenticate normally to access other applications they may be granted. I will do some testing of these policies in our preview org.