This article presents a scenario in which users can log in with the RADIUS agent without a password.

• RADIUS application
• Passwordless authentication
• Okta Classic Engine
• Multi-Factor Authentication (MFA)

When RADIUS is set to Passwordless authentication (meaning that Okta does not perform primary authentication), the VPN client needs to be provided with the user's RADIUS application username and the OTP token (if a soft token is in use). The user must type EMAIL, SMS, CALL, or PUSH for any other method. If the user wants to use Okta Verify with Push, simply input PUSH as the password, and a push notification should be sent to the enrolled device.

To achieve this flow, please follow the steps below: 

1. Send Access-Challenge for the MFA-only logins option in the RADIUS application​​​​.
2. Select the Sign On tab, and the checkbox for Advanced RADIUS Settings must be checked.

Related References

• RADIUS applications in Okta