This article details how the credentials are sent from the device/app to the Okta RADIUS Agent when entered on a device or application that uses the Okta RADIUS Agent for authentication (like VPN), respectively, if they are sent in clear text, hashed, or encrypted.
- RADIUS
- Credentials handling
The username is in clear text, and the password is encrypted and can only be decrypted with the Secret Key. This information can be seen by running Wireshark to capture the authentication request.
The Okta RADIUS Server agent:
-
It is a lightweight program that runs as a system service.
-
Tunnels communication between on-premises services and Okta's cloud service.
-
Delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA).
-
Supports the Password Authentication Protocol (PAP).
-
Supports EAP Generic Token Card (EAP-GTC).
Currently only supported by NetMotion mobility. -
Supports EAP Tunneled Transport Layer Security (EAP-TTLS) with PAP as the inner authentication protocol within the secure TLS tunnel.
Currently, the Cisco Meraki and Cisco ASA RADIUS apps support configuration for EAP-TTLS. -
Supports UDP, defaulting to port 1812, using multiple ports simultaneously.
