This article addresses the situation in which a user or admin attempts to log in to a network device but is not prompted for MFA, instead receiving a time-out error. In Okta logs, the following error can be seen: 

Delegated authentication request timed out. Ensure that the agent for your directory is connected to Okta.

This error might also be followed by the below error in RADIUS logs: 

Authentication failed for user testuser@okta.com, reason --- Access denied. Invalid creds?

• Multi-Factor Authentication (MFA)
• RADIUS Authentication

Troubleshooting steps

1. Test the RADIUS authentication using NTRadPing to make sure that the RADIUS integration does not present any errors.
2. Make sure that the shared secret key in the RADIUS application in Okta does not contain any special characters. If it does, it can result in a DEL_AUTH_TIMEOUT error. The Secret Key can be edited by pressing the Edit button at the top-right corner of the Sign-On tab of the application. 

3. Make sure that the secret key from the RADIUS app matches the one in the firewall. 
4. The error might also be linked to an issue with the AD Agent installed on the server if the user authenticates with Okta via AD delegated authentication. In this case, the following knowledge base articles can be consulted:

• DEL_AUTH_TIMEOUT Errors In System Log 
• Troubleshooting Failed Delegated Authentication Attempts
• Delegated Authentication Request Timed Out

5. If none of the above helped to resolve the issue, open a ticket with Okta Support and attach the AD agent verbose log and the RADIUS logs from the RADIUS server for further investigation.

Related References

• Troubleshooting Okta RADIUS Errors