NTRadPing is a freeware RADIUS testing tool for verifying that the configuration of the Okta RADIUS Agent or a designated RADIUS App is correctly done on Windows computers.

The app can be downloaded from here: NTRadPing. After downloading the App, unzip and open NTRadPing.

NOTE: This testing tool is not owned by Okta; use whichever RADIUS testing tool is preferred.

• Okta RADIUS Agent
• RADIUS Application
• NTRadPing
• Windows

Follow the steps or video below:



Setting up NTRadPing with the values of the environment in use:

• RADIUS Server: The server IP Address where the Okta RADIUS Agent is installed.

• Port: The port that was configured in the Okta RADIUS Application from the Admin Dashboard.

• Reply timeout (sec): Default is 10 seconds. The best practice will be to set it to 60 seconds in case MFA is used.

• RADIUS Secret key: This is the Secret Key from the Okta RADIUS Application from the Admin Dashboard.

• Username: The username that is assigned to the Okta RADIUS Application on the Assignments tab (Please note that the Okta RADIUS Application must match the Username from the NTRadPing tool).

• Password: The password for the account that is used for testing.

• Request type: Authentication Request.

• CHAP checkbox: Please DO NOT enable CHAP (CHAP is not supported).

There are three scenarios:

1. If no MFA is used, click Send (in the NTRadPing tool), and the reply message for a successful authentication will look like this: Reply-Message=Welcome User-name!.

2. If Okta Verify push MFA is used, ensure that the Accept password and security token in the same login request is checked under the designated RADIUS app Sign-on settings in Okta for this to work. The best practice for testing will be to use Okta Verify with Push.

   1. Before clicking on Send, specify which factor is used in the Password field after the password, followed by a comma.
      Example: {Password1},push

   2. Click Send, and authenticate via Factor.

3. If SMS, Push, Call, Email, or Okta Verify code is leveraged: 

   1. Before clicking on Send, specify which factor is used in the Password field after the password, followed by a comma.
      Example: {Password1},{factor} where the factor is SMS, Call, Email, or Token.

   2. After clicking on Send, authenticate via factor by sending another packet, this time specify in the Password field followed by a comma, the factor code that was received.
      Example: { Password1},{ code} where the code is the number received via SMS, Call, Email, or the Okta Verify code.

   3. Click Send.

Here is an example of where the end user can use the password followed by a comma, and Okta Verify Push:

4. If Okta performs only secondary authentication (for example, within the Amazon Workspaces configuration), the TOTP code from an enrolled authenticator (for example, Okta Verify) should be sent instead of the password, as Okta does not check the password when Okta performs primary authentication, which is unchecked under the app settings. Sending both the password and the code in this configuration will result in an Access-Reject packet being returned. 

NOTE: The Permit Automatic Push for Okta Verify Enrolled Users setting in the Okta RADIUS Application's Sign On tab > Advanced RADIUS Settings can be used to automatically receive a Push after entering the Username and Password.

Related References

• How does "Accept password and security token in the same login request" work for Okta MFA RADIUS authentication