This article clarifies why an Okta Administrator's name appears for all RADIUS authentication attempts.
- RADIUS Authentication
- Multi-Factor Authentication (MFA)
- Classic & Okta Identity Engine (OIE)
During the RADIUS agent install procedure, there is a prompt to log in to the tenant with a user that has admin rights. When this is done, the account used here will be the user generating and thus associated with the API token granted to the agent for making authentication calls for RADIUS integrations.
If an admin uses their own credentials, their name will be tied to that API token, and that is why their user name is attached to all RADIUS requests as the "Actor" / "actor.id" in the system log.
Okta recommends the use of a dedicated service account to authorize RADIUS agents. A dedicated account ensures that the API token used by the RADIUS agent is not tied to the life cycle of a specific user account, which could be deactivated when the user is deactivated.
NOTE: Service accounts used for RADIUS agents must be given appropriate admin permissions. A RADIUS agent Service Account must have either:
- Read-only Admin and App admin roles
- The Super admin role.
Update the Name associated with RADIUS authentication by reinstalling the RADIUS Agent (recommended if agent update is available):
-
NOTE: Reinstalling the RADIUS agent does not overwrite the configuration data in the Okta RADIUS Agent folder. When reinstalling the agent to update the API token, make sure to make a copy, then delete/remove the Okta RADIUS Agent folder from:
-
\Program Files (x86)\Okta
-
-
... before reinstalling the RADIUS agent.
-
Then, perform the procedure in Install the RADIUS Windows agent.
-
When prompted to log in, be sure to do so with the service account.
-
