Malicious actors often use password spraying or brute force attacks on publicly accessible Virtual Private Network (VPN) endpoints to gain unauthorized access. Securing the Okta RADIUS Agent against these malicious authentication attempts requires implementing multi-factor authentication (MFA), updating the agent, enabling client IP reporting, configuring Okta ThreatInsight, and blocking malicious IP addresses.
While RADIUS integrations are secure, administrators must also implement edge security measures, such as firewalls, to proactively filter client requests.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta RADIUS Agent
- Virtual Private Network (VPN)
- Firewall
How does multi-factor authentication protect the integration?
The first line of defense involves implementing multi-factor authentication (MFA) to protect end-users and requiring it in the sign-on policies for RADIUS applications. Malicious probing attempts often target accounts using basic details (username and password) exposed in breaches of other services. MFA adds a strong layer of security to any login, making it significantly more difficult to compromise than a knowledge-based factor like a password. For information on RADIUS integrations and enabling MFA, refer to the Okta RADIUS Server Agent Integrations manual. If further assistance is necessary, open a ticket with Okta Support.
Ensure the Okta RADIUS Agent is Up to Date
Using the latest version of the Okta RADIUS Agent ensures the environment uses the most recent patches and optimizations. This includes proper authentication request handling and processing, enabling services such as the Okta ThreatInsight engine to function properly.
Enable the gateway service (VPN gateway) to report the requesting client IP
Enable Report Client IP in the RADIUS Application
To configure or verify that the Report Client IP option functions, open the RADIUS application and check the Advanced RADIUS Settings. The RADIUS integrations documentation contains more details on configuring RADIUS applications.
NOTE: This depends on the gateway including this IP information in a RADIUS attribute. For example, in Cisco ASA VPN integrations, the VPN gateway maps the client IP to a specific attribute like Calling-Station-Id. The Okta RADIUS Agent extracts the client IP from this attribute and adds it to the X-Forwarded-For (XFF) header when making an authentication request to Okta. The Client IP Reporting documentation contains general details on client IP reporting.
How does Okta ThreatInsight detect malicious IP addresses?
For more information, check the Configure Okta ThreatInsight documentation.
NOTE: Okta ThreatInsight blocks certain types of malicious traffic but cannot guarantee complete detection of malicious IP addresses or threats.
When administrators enable client IP forwarding, the Okta RADIUS Agent adds the client IP to the IP chain of the authentication attempt made back to the Okta tenant. This allows client IP inspection by Okta ThreatInsight, which monitors Okta RADIUS authentication endpoints to inspect, learn from, and take action on known malicious actors and traffic. After configuring and confirming client IP reporting, administrators must also configure the RADIUS Agent server IP as a Trusted Proxy in the Legacy Network Zone. When Okta receives the RADIUS authentication request with both the client IP and RADIUS Agent IP, the ThreatInsight pipeline only considers the non-trusted client IP for further evaluation. Okta ThreatInsight only takes action on requests from the client IP, not the RADIUS Agent itself.
For more details, see the following information:
To configure Okta ThreatInsight to detect malicious IP addresses that attempt credential-based attacks, navigate to the security settings, edit the ThreatInsight configuration to select the desired enforcement action, add any trusted network zones, and save the changes by following these steps.
- In the Admin Console, go to Security, and then select General.
- Go to the Okta ThreatInsight settings.
- Choose Edit to view the list of actions.
- No Action: Okta ThreatInsight actions remain inactive. Even with this option selected, Okta collects Okta ThreatInsight data for aggregation purposes.
- Log authentication attempts from malicious IPs: ThreatInsight records information about sign-in attempts from potentially malicious IP addresses in the System Log.
- Log and enforce security based on threat level: ThreatInsight limits or blocks authentication requests from suspicious IP addresses based on the threat level detected. For example, if Okta suspects a specific IP address of malicious activity but considers the threat level low, Okta does not deny authentication requests from the IP address but might subject them to a rate limit. The rate limit helps ensure that requests from a suspicious IP address do not overload authentication services and affect legitimate traffic. With the option to limit access requests from suspicious IP addresses, ThreatInsight reduces the risk of malicious activity without blocking access for legitimate users. However, if Okta suspects an IP address of malicious activity and detects a high threat level, Okta blocks authentication requests from the IP address.
- Select the desired action for the organization.
- Add any trusted network zones that require exclusion from threat detection.
- Choose Save.
NOTE: These settings may take a few minutes to take effect.
Block IP addresses
Security teams should review the Okta System and/or RADIUS Logs, Firewall, and VPN concentrator config and logs to determine the list of malicious IP addresses. Once this is determined, the security team should create an ACL(access control list) to block bad actors from making authentication requests.
