<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Step-by-Step Guide for Upgrading RADIUS Server Agent and On-Prem MFA Agent
Sep 16, 2025
Okta Classic Engine
Multi-Factor Authentication
Okta Identity Engine
Overview

This article is a step-by-step guide for upgrading the RADIUS Server agent and On-Prem MFA Agent.
 

Applies To
  • RADIUS Agent
  • On-Prem MFA Agent
  • Multi-Factor Authentication (MFA)
Solution

Okta RADIUS Server Agent

Windows

  1. From the Administrator Dashboard, select Settings > Downloads Okta RADIUS Server Agent.

  2. Click Download Latest and run the Okta RADIUS installer.

    Screenshot of the Download Latest button next to Okta RADIUS Server Agent in the Admin Dashboard 

  3. Proceed through the installation wizard to the Important Information and License agreement screens, and click Next.

    Okta Verify 
    Okta Verify 

  4. Choose the Installation folder and click the Install button.

    • By default, it will create this folder C:\Program Files (x86)\Okta\Okta RADIUS Agent.

      Okta Verify 

  5. The agent installation will start, and the Operation in progress screen will be seen until the installation is complete.
    Okta Verify 

  6. Click Finish on the confirmation screen.
    Okta Verify 

For more information, please check the Install Okta RADIUS server agent on Windows documentation.

About SSL Pinning For RADIUS Agent Windows

RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, which provides an extra layer of security. SSL pinning is not enabled by default in earlier versions.

NOTE: Disabling SSL pinning might be necessary for agents on a network containing a web security appliance.

 

When upgrading from an agent version earlier than version 2.2.0, It may be necessary to perform the following after the upgrade is completed to enable SSL Pinning. This process restricts agent communication only to servers that can present valid certificates with public keys known to the new agents.

  • Do not do this procedure for agents on a network that has a web security appliance on it.
  1. Open the folder where the Okta RADIUS server agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
  2. Open the current\user\config\radius\ folder and create backup copies of the config.properties and additional-config.properties files.
  3. Open the current\user\config\radius\config.properties file in a text editor.
  4. Append the following line to the end of the file:
    ragent.ssl.pinning = true
  5. Save the file.
  6. Restart the Okta RADIUS server agent service using the Windows administrative tools.

For more information, please check the Use SSL pinning documentation.

Okta On-Prem MFA Agent

Windows

  1. From the Administrator Dashboard, select Settings > Downloads > Okta On-Prem MFA Agent.

  2. Click Download Latest and run the Okta On-Prem MFA Agent installer.

    MFA Plugins 

  3. Proceed through the installation wizard to the Important Information and License agreement screens, and click Next.

    Okta Verify 
    Okta Verify 

  4. Choose the Installation folder and click the Install button.

    • By default, it will create this folder C:\Program Files (x86)\Okta\Okta On-Prem MFA Agent.
      Okta Verify 

  5. The agent installation will start, and the Operation in progress screen will be seen until the installation is complete.

    Okta Verify 

  6. Click Finish on the confirmation screen.

    Okta Verify 

For more information, please check the Okta On-Prem MFA agent (formerly RSA SecurID) documentation.

About SSL Pinning For MFA On-Prem Agent Windows

  • Agents installed on a network containing a web security appliance may need to disable SSL pinning.

 

During this task, disable SSL pinning using an agent property.

NOTE: This page is only applicable to On-Prem MFA agent versions 1.3.0 or later.

  1. Open the folder where the Okta RSA agent resides.
    1. The default installation folder is C:\Program Files (x86)\Okta\Okta RSA Agent\ or C:\Program Files (x86)\Okta\Okta On-Prem MFA Agent\.
  2. From this folder, navigate to current\user\config\rsa-securid\config.properties.
    1. Before making changes, Okta recommends creating a backup of this file.
  3. Using a text edit, open the file current\user\config\rsa-securid\config.properties in the Okta RSA agent installation folder.
  4. As line 6, add:
     
    sslPinningEnabled = false
  5. Save the file.
  6. Restart the Okta On-Prem MFA Agent service using the available Windows administrative tools.

For more information, please check Disable SSL Pinning documentation.

Linux RADIUS Agent

  1. From the Administrator Dashboard, select Settings > Downloads > Okta RADIUS Server Agent.

  2. Click Download Latest next to the RADIUS installer (rpm or deb).
    Okta Verify 

  3. Use one of the following commands to generate the hash on the local machine. Replace the setup with the file path to the downloaded agent.

    • Linuxsha512sum setup.rpm

  4. Verify that the generated hash matches the hash on the Downloads page.

  5. Log in to the computer that will run the agent and open a terminal window.

  6. Become root.
    $ su root

  7. Install the agent.

    • Using rpm to install the agent, run the command:

      rpm -Uvh OktaRadiusSetupRPM-[Agentversion].rpm where:

      • U - install or upgrade

      • v - execute in verbose mode

      • h - Print hash marks, #, periodically while performing operation

      • M.m.details represents the most recent version of the agent RPM.
        For example, OktaRadiusSetupRPM-[Agentversion].rpm

    • Using debian apt to install the agent, run the command: 

      apt install /${PATH_TO_INSTALLER_FILE}/OktaRadiusAgentSetup-[Agentversion].deb

      where:

      • M.m.details represents the most recent version of the agent DEB.

        For example, OktaRadiusAgentSetup-[Agentversion].deb.

  8. The installer will execute and prompt for entering the base URL for the Okta organization.
    For example, https://mycompany.okta.com

  9. The agent will then prompt for authentication with the Okta tenant.
    Copy the URL from the agent install window into a web browser.
    The URL will resemble the following:
    https://{myorg.okta.com}/oauth2/auth?code={code}.

  10. In the web browser, there will be a prompt to authenticate to Okta and authorize the agent.
    Click Allow Access.
    app 

  11. Okta recommends authorizing the agent using a dedicated service account with Super Admin privileges. An API token will be generated for the agent.

  12. Return to the Linux terminal window, where there should be a message stating the agent was successfully registered.

  13. Configure a RADIUS app in Okta to configure the RADIUS agent port, shared secret, and advanced RADIUS settings.

NOTE:  After any upgrade, Okta recommends always shutting down and restarting the RADIUS agent.

 

For more information, please check the Install Okta RADIUS server agent on Linux documentation.

 

About SSL Pinning For RADIUS Agent Linux

 

It is possible to override the RADIUS Agent default properties as required.

NOTE: Changes to the RADIUS Agent config.properties are only loaded on agent restart. Always restart the agent after changing config.properties.

 

RADIUS agent properties are stored in config.properties and additional-config.properties. Okta recommends backing these files up before modifying any agent properties.

  1. Open /opt/okta/ragent/user/config/radius/config.properties.
  2. Configure the property ragent.ssl.pinning.
    1. Default Value = True  (enabled).
  3. If the proxy terminates the SSL connection, disable SSL pinning. For example:
    ragent.ssl.pinning = false
  4. Save the file.
  5. Any changes made will be effective after restarting the Okta RADIUS Agent service as described in Manage the agent.

 

NOTE:

Following the upgrade of the RADIUS agent, the agent console may not reflect the correct version number. To validate that the right version of the agent was installed:

  • Windows
Navigate to Control Panel Programs > Programs and Features and verify the Okta RADIUS Agent [Agent latest version] was installed.
  • Linux

Run the following command to validate the version the agent was upgraded to:

$ sudo find /opt/okta/ragent -name log4j*

The output will show the agent version installed is 2.15, which is the patched log4 jar version:

/opt/okta/ragent/lib/common/log4j-api-[Agentversion].jar/opt/okta/ragent/lib/common/log4j-core-[Agentversion].jar/opt/okta/ragent/lib/common/log4j-1.2-api-[Agentversion].jar/opt/okta/ragent/user/config/radius/log4j2.xml

 

For more information, please check the Configure properties documentation.

 

Related References

Recommended content

Still looking for help?
Loading
Step-by-Step Guide for Upgrading RADIUS Server Agent and On-Prem MFA Agent