This article provides instructions to configure a FortiGate device with a secondary Okta Remote Authentication Dial-In User Service (RADIUS) agent to act as a failover.
- Okta RADIUS Agent
- FortiGate
- Create a new server and ensure port 1812 is exclusively used by the Okta RADIUS Agent.
- In the FortiGate interface, navigate to Users and Authentication > Radius servers.
- Create a new server entry and populate the required fields, such as the IP/FQDN, secret, timeout, and retries.
- Navigate to User and Authentication > User groups.
- Select the Firewall group that contains the primary RADIUS agent and select Edit.
- Add the second RADIUS server entry.
FortiGate handles redundancy automatically in the following scenarios:
- The primary RADIUS server is unreachable or down.
- The number of retries or the timeout limit is exceeded.
NOTE: Okta does not natively provide a mechanism to enforce requests originating from a particular RADIUS server. Failover is handled by the Virtual Private Network (VPN) or the client. All requests from Okta RADIUS agents are directed to a unified endpoint, and authentication relies on the configured RADIUS secret and port number within the same RADIUS application.
Changing the Default RADIUS Port
FortiGate uses the default RADIUS port 1812 and does not provide an option in the user interface to modify it. If a different User Datagram Protocol (UDP) port is required, follow these steps:
- Change the default UDP port in FortiGate using the command line.
For instructions, refer to the Configure the Fortinet gateway documentation.
- In the Okta Admin Dashboard, navigate to the RADIUS application.
- Select the Sign On tab and update the port number to match the port configured in FortiGate.
