This article reviews an Okta RADIUS Agent error message, which appears in the RADIUS agent logs:
 

[Year]-[month]-[day]  [Time] UTC [<ServerName>, pool-1-thread-4] : ERROR - Failed to get radius apps from Okta com.okta.ragent.exception.OktaRadiusException: com.okta.ragent.exception.OktaAuthException: You do not have permission to perform the requested action

This error message is accompanied by an "open-down" behavior, where the RADIUS Agent appears to be up and running within the Operating System and may be receiving requests, but is not able to perform authentication for them. Most commonly, this error message appears after installing the RADIUS Agent, but it can also occur on systems that have been idle for longer periods.

• RADIUS Agent
• Troubleshooting 

This error message is known to be caused by the Okta RADIUS Agent "service account" not having the correct permissions or when an agent has been idle (having not received a request in over 30 days) and the authorization token has been revoked due to expiration or administrative revocation.
 

To confirm a Permissions Issue

When installing the Okta RADIUS agent, Okta recommends the use of a specific 'Service Account' created with the express purpose of being used for the authorization of the RADIUS agent to make Authentication calls back to Okta. Most commonly, this error is due to permissions with the Service Account used during the installation. See Install Okta RADIUS Server agent on Windows and Install Okta RADIUS agent on Linux for reference.

When installing the RADIUS Agent, log in with an account that has either both the Read-only Admin and App admin roles or just the Super admin role.

To check and add the Service Account permissions (for Okta Identity Engine (OIE)):

• From the Okta Admin Console, Open Directory > People.
• Find and click on the target account intended for use as the Service Account, and click the Admin roles tab on the user account page.

• If the "Admin assignments granted individually" or "Admin assignments granted through group membership" is empty (as in the example above) or does not contain the required admin permissions, this can cause the following error message, which prevents authentication:

To check and add the Service Account permissions (on Okta Classic):

1. Go to the Okta Admin Console.
2. Click Security > Administrators.
3. Ensure that the RADIUS service account used during installation is added to the Administrators list.

To confirm a Revoked or Expired RADIUS Agent Auth Token

If this error is occurring on a previously known functional RADIUS Agent, it is possible that the error is due to the Token that authorizes the RADIUS agent to make Authentication calls back to an Okta tenant. If the RADIUS Agent has an expired or revoked or expired token, it will show as "Inactive" in the Agents panel. This can be referenced by:

• In the Okta Admin Console, navigate to Dashboard > Agents > select the RADIUS tab.
• The RADIUS Agents tab will show a list of server names and their status. 
• In this example, RADIUS-Server #2 is experiencing an error message, and users are unable to authenticate. Its status is "Inactive."

Permissions issues

To resolve the issue stemming from the permissions of the Service Account in OIE:

1. From the Okta Admin Console, Open Directory > People.
2. Find and select the target service account to use for the RADIUS integration, then click the Admin roles tab.
3. On the user account page, select Add individual admin privileges.

4. In the admin role's assignment tab, add either Read-only Admin and App admin roles (to add more roles, use the + Add assignment button), or just the Super admin role, and be sure to select Save Changes.

• This would be expected to resolve the issue that produces the error message without further admin action.
  • If this does not resolve authentication issues, reopen the Okta RADIUS logs and search for messages that occur after this update was applied to confirm whether this is the same error or a different message. 

To resolve the issue stemming from permissions of the Service Account (in Okta Classic Engine).

1. Go to the Okta Admin Console.
2. Click Security > Administrators.
3. Please ensure that the RADIUS service account is added to the Administrators list and has either Read-only Admin and App admin roles or the SUPER Admin role. 
4. This would be expected to resolve the issue that produces the error message without further admin action.
   • If this does not resolve issues with authentication, reopen the Okta RADIUS logs and search for the messages that are happening after this update was made to confirm if this is the same error or a different message. 

Expired or Revoked Authorization Token 

To resolve the condition of an Inactive RADIUS integration (Auth token expired or revoked in Classic or OIE), Okta Administrators should reinstall the RADIUS agent, following our documentation:

• Step-by-Step Knowledge Base Article  -  Install the RADIUS Windows Agent.
• Manual Chapters: 
  • Install Okta RADIUS Server agent on Windows;
  • Install Okta RADIUS agent on Linux.

This will force a new token to be minted, and the RADIUS agent will once again be authorized to perform authentication.