Okta developed a solution to address a protocol vulnerability (commonly referred to as “Blast-RADIUS”) in Okta RADIUS agent versions prior to 2.24.0, and On-Prem MFA agent versions prior to 1.8.0, within the client-server Remote Authentication Dial-In User Service (RADIUS) networking protocol.
This article provides additional detail on the recommended update to the RADIUS and On-Prem MFA agents. Given the complex requirements of this third-party vulnerability, the updates are highly recommended, but are neither required nor enforced by Okta.
- RADIUS agent versions prior to 2.24.0
- On-Prem MFA agent versions prior to 1.8.0
Customers using the Okta RADIUS agent versions prior to 2.24.0, or Okta On-Prem MFA agent versions prior to 1.8.0 should:
- Upgrade any downstream service that integrates with the RADIUS or On-Prem MFA Agent to support Message-Authenticator attribute
- Update the On-Prem MFA agent to 1.8.0 or above and RADIUS agent to 2.24.0 or above
- Enable the RADIUS feature Require Message-Authenticator for incoming client requests
- This step is not required If you are already using Extensible Authentication Protocol (EAP).
- This step is not required for the On-Prem MFA Agent.
NOTE: If the agent update and configuration changes are not performed alongside the downstream service updates, related authentication flows will stop functioning.
To validate your RADIUS agent version, refer to: Determine the RADIUS agent version.
To validate your On-Prem MFA agent version, launch Control Panel on the Windows machine where Okta On-Prem MFA agent is installed > Programs and Features and find Okta On-Prem MFA agent.
