RADIUS applications in Okta do not support Authentication Policies. Instead, these applications continue to use the legacy Classic Engine-style application sign-on policy even after an organization transitions to Okta Identity Engine (OIE). Administrators observe the older Sign On policy interface in these applications rather than the newer Authentication Policies framework used by other applications.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- RADIUS Applications
- Authentication Policies
Why do RADIUS applications use legacy sign-on policies?
RADIUS is a protocol-constrained integration that does not support richer authenticator flows, such as WebAuthn, Okta Verify with biometrics, or device posture, which Authentication Policies orchestrate. RADIUS supports only a password and one additional factor, which the Access-Challenge mechanism negotiates.
What are the supported factors for RADIUS?
Review the following list to identify the supported authentication factors available for RADIUS integrations.
- Password
- Okta Verify Push
- Time-based One-Time Password (TOTP) (Okta Verify OTP, Google Authenticator)
- SMS, Voice, or Email One-Time Password (OTP)
- YubiKey OTP
How are RADIUS integrations migrated to modern protocols?
Where possible, migrate RADIUS-based integrations to Security Assertion Markup Language (SAML) or OpenID Connect (OIDC) so the integrations can leverage Authentication Policies, device assurance, and phishing-resistant authenticators. Many VPNs, such as Palo Alto GlobalProtect, Cisco AnyConnect, and Fortinet, support SAML as an alternative to RADIUS.
