Verify the configuration of the Okta RADIUS Agent or a designated RADIUS application on Windows computers using a RADIUS testing tool. Download, extract, and open a preferred RADIUS testing tool to validate the configuration. NTRadPing is provided as an example in this article; however, use a tool that best fits the organization's guidelines.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Okta RADIUS Agent
• RADIUS Application
• Windows

How is NTRadPing configured for RADIUS testing?

Refer to the video below and/or follow the steps below to set up and utilize NTRadPing for RADIUS testing:

Enter the environment values into the corresponding fields within the RADIUS testing tool to prepare for authentication testing.

• RADIUS Server: Enter the server IP address where the Okta RADIUS Agent is installed.
• Port: Enter the port configured in the Okta RADIUS application from the Admin Console.
• Reply timeout (sec): Enter 60 seconds if Multi-Factor Authentication (MFA) is used. The default is 10 seconds.
• RADIUS Secret key: Enter the Secret Key from the Okta RADIUS application in the Admin Console.
• Username: Enter the username assigned to the Okta RADIUS application on the Assignments tab. Ensure the Okta RADIUS application matches the username entered in the testing tool.
• Password: Enter the password for the account used for testing.
• Request type: Select Authentication Request.
• CHAP: Clear the CHAP checkbox, as Challenge Handshake Authentication Protocol (CHAP) is not supported.

How are the different authentication scenarios tested?

Execute the authentication request in the testing tool using the appropriate method for the configured Multi-Factor Authentication (MFA) scenario.

• No MFA: Select Send in the testing tool. The reply message for a successful authentication displays as Reply-Message=Welcome User-name!.
• Okta Verify Push MFA: Ensure the Accept password and security token in the same login request setting is selected under the designated RADIUS application Sign On settings in Okta. Specify the factor used in the Password field after the password, followed by a comma (for example, <password>,push). Select Send and authenticate via the factor.
• SMS, Push, Call, Email, or Okta Verify code:
  1. Specify the factor used in the Password field after the password, followed by a comma (for example, <password>,<factor> where the factor is SMS, Call, Email, or Token).
  2. Select Send.
  3. Authenticate via the factor by sending another packet. Specify the received factor code in the Password field, preceded by a comma (for example, <password>,<code> where the code is the number received via SMS, Call, Email, or the Okta Verify code).
  4. Select Send.

• Secondary authentication only: If Okta performs only secondary authentication (for example, within an Amazon Workspaces configuration), send the Time-Based One-Time Password (TOTP) code from an enrolled authenticator instead of the password. Okta does not check the password when primary authentication is cleared under the application settings. Sending both the password and the code in this configuration results in an Access-Reject packet.

NOTE: The Permit Automatic Push for Okta Verify Enrolled Users setting in the Okta RADIUS application Sign On tab > Advanced RADIUS Settings automatically sends a push notification after entering the username and password.

Related References

• How does "Accept password and security token in the same login request" work for Okta MFA RADIUS authentication