Overview

Okta's RADIUS implementation is relatively simple. The RADIUS agent (server) is a proxy between the customer's RADIUS appliance (client) and Okta for authentication and MFA. The RADIUS agent transforms RADIUS messages from the client into Okta API requests and Okta API responses into RADIUS messages to the client.

Applies To

• RADIUS
• API
• Okta Classic Engine

Troubleshooting

Possible Case 1

• Error:

Invalid credentials: 2019-07-31 09:44:35 UTC [Win2016, pool-1-thread-4, radiusRequestId=[radiusRequestID], user=[username], requestType=primary] : WARN  - Authentication failed for user silentactivation, reason --- Access denied. Invalid creds?.

• Possible causes:
  • Most of the time, this is due to a user entering a bad username/password.
  • Bad username format.
  • Delegated Authentication failures. User authenticates with Okta via AD/LDAP Delegated Authentication. Delegated Authentication failures will result in the above error. Delegated Authentication needs to be investigated separately to see why it failed.
  • Wrong shared secret. Easy to just fill it in again into the Okta RADIUS app. If Delegated Authentication is being used, the AD agent will show System.Xml.Serialization.XmlSerializer.Deserialize error when a bad RADIUS secret is used.
  • Secret contains symbols (for example, |, &, #). Symbols are not supported in the RADIUS secret.
  • The account the admin is trying to sign in to is also the one from which the RADIUS agent is configured. Please use a service account when setting up the RADIUS agent.
  • Extremely rare: The user entered the correct password, but the RADIUS appliance sends the wrong data. This can only be proven with a Wireshark trace, taken from the RADIUS appliance or from the RADIUS agent. With the shared secret provided in Wireshark, read RADIUS messages and see the actual password being sent. 
  • NOTE: When encrypting the password in Wireshark, either use a test account to ensure the user's actual password is not seen/shared, or reset the password after verifying the value in the Wireshark trace. 
  • Check the RADIUS instructions. Most RADIUS integrations state to uncheck the primary authentication.
  • Ensure that the user has the required factors enrolled by checking the end-user dashboard and the Admin console at the user level. Also, check whether the enrollment policy allows the user to enroll in or use the required factors. In some cases, changes are made to the enrollment policies that may invalidate the user's factors. Even though they will still show in the Admin console, they will not appear in the end-user dashboard.

• Solution:
  • RADIUS Authentication Failure Despite Correct Credentials

Possible Case 2

• Error:

RADIUS agent queue is full:2020-03-16 15:29:02 UTC [{ServerName}, pool-2-thread-2, radiusRequestId=[radiusRequestID], user=[username], requestType=primary]: WARN - Authentication failed for user [username], reason --- Request queue is full.

• Possible causes:
  • The rate at which the RADIUS agent honors requests is slower than the rate at which it receives them. This leads to a filled queue. Requests above the queue will be ignored
• Solution:
  • Increase RADIUS agent threads and/or number of RADIUS agents. If multiple agents need to be used, they must be behind a load balancer. Support cannot help with load balancer implementations; it has to be Professional Services, or the customer must self-service.
  • RADIUS threads are increased by altering the ragent.num_request_threads parameter in the RADIUS config file, C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\user\config\radius\config.properties. Any increase in threads must be accompanied by an increase in connections. ragent.num_max_http_connection parameter in the same file. Connections need to be 5 above threads.
  • In delegated authentication environments, care must be taken so that the AD/LDAP agents can take the additional load.
  • See Install and configure the RADIUS Agent for RADIUS agent configuration details.

Possible Case 3

• Error:

Timeout during MFA loop:2020-03-30 17:55:11 UTC [Win2016, pool-1-thread-2, radiusRequestId=[radiusRequestID], user=[username], requestType=primary] : WARN  - Authentication failed for user [username], reason --- Access-Request failed, error: Request failed at step=DURING_MFA_POLL_LOOP. Time-out

• Possible causes:
  • Associated with Okta Verify Push, the RADIUS agent is waiting on Okta to validate the push request. If the request is not validated quickly enough (by user accepting it on the phone), the RADIUS agent will time out.
• Solution:
  • Increase RADIUS agent timeout by increasing the ragent.total.request.timeout.millisecond parameter value in C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\user\config\radius\config.properties. Please review the Configure properties documentation to better understand how the entered value is interpreted by the agent.
  • Do not increase the RADIUS agent timeout above the RADIUS appliance timeout value. Usually, the RADIUS appliance will retry after the timeout expires and, therefore, flood the RADIUS agent, which is legitimately waiting for the push validation. 

Possible Case 4

• Error:

Rate limits associated with RADIUS.

• Possible causes:
  • Actual rate limits on /api/v1/radius endpoint. It is very rare as the endpoint has a high threshold. However, please contact Support to verify the limit being hit on this endpoint. 
  • Concurrency rate limits refer to the total number of requests Okta can process simultaneously. This is possible during high load, for example, multiple users authenticating against RADIUS simultaneously, and will impact the org, not just RADIUS authentications.
  • Email/SMS/call factor limits. Each factor has a separate bucket for email and phone number limits.
• Diagnosing:
  • ​Get the Okta RADIUS Agent logs and provide them to Okta Support. The radiusRequestId and the specific timestamp where the issue occurred is needed.

• Solution:

• • If endpoint or concurrency limits need to be increased, Support would need to seek approval from the internal team for this type of request. Please be aware that this process might take some time.

Possible Case 5

• Error:

RADIUS Agent Authentication fails with the following error in the Okta System Logs:

Delegated authentication request timed out. Ensure that the agent for your directory is connected to Okta.

• • This error might also be followed by the following error in RADIUS logs:

Authentication failed for user testuser@okta.com, reason --- Access denied. Invalid creds? 

• Cause:

• Solution:
  • RADIUS Agent Authentication Fails with "Delegated authentication request timed out" Error in Okta Log

Possible Case 6

• Error:

Okta RADIUS Agent showing as Inactive.

• Solution:

1. Attempt to uninstall the RADIUS agent and reinstall it.
2. Delete the Okta RADIUS folder.
   • The folder contains a config file that must be deleted; otherwise, the newly installed agent will use the data of the old agent.
3. This will generate a new API token between the tenant and RADIUS.

Possible Case 7

• Error:

RADIUS Agent's log or VPN's log shows: Access-Request must contain password.

• • In this case, the administrator will not be able to view the system logs related to the error in the Admin Console.
  • According to Okta RADIUS Server Agent flow, it is likely that the login request failed in steps 2 and 3 of the picture, and that error was output.

• Cause:

• Solution:
  • The administrator should check how the end-user's VPN profile was created.

NOTE: Before providing Okta RADIUS logs, please ensure that the debug log is enabled as mentioned below: 

• Enabling RADIUS agent debug logs: 
  Edit file C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\user\config\radius\log4j.properties and replace INFO with DEBUG in the 3 lines.

Related References

• About the Okta RADIUS Agent
• Okta RADIUS Integrations
• Getting started with Okta RADIUS Integrations
• Okta RADIUS Server Agent flow