<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008C3jWHSAZOkta Classic EngineMulti-Factor AuthenticationAnswered2025-06-14T10:27:26.000Z2018-02-08T15:37:10.000Z2018-02-08T15:37:10.000Z

nqwvh (nqwvh) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
Fail to authenticate Aviatrix VPN Client using DUO-enabled Okta
Hello!

 

I'm using Okta for Aviatrix VPN authentication. On their website, apparently support using Okta. http://docs.aviatrix.com/HowTos/HowTo_Setup_Okta_for_Aviatrix.html

 

My problem is that after I setup gateway with Okta authentication in Aviatrix, I cannot login via VPN client when DUO is enabled. The authentication simply failed with the following log:

 

2018-02-08 06:27:33 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

2018-02-08 06:27:33 AUTH: Received control message: AUTH_FAILED

2018-02-08 06:27:33 SIGTERM[soft,auth-failure] received, process exiting

 

And on Okta side I'm seeing the following two events in sys log, but my phone was never prompted with any challenge. 

0EM2A000000VPPMAnd I noticed in the "Evaluation of sign-on policy" event, the user-agent has the following property:

 

Browser UNKNOWN

OS Linux

RawUserAgent OktaOpenVPN/0.9.2 (Linux 3.13.0-74-generic) CPython/2.7.6

 

If I deactivate DUO, then the login will pass.

 

I want to know is it supported to use DUO-enabled Okta for other platform's authentication?  If so, is it that Aviatrix is not calling Okta using the right way?

 

Regards,

Yiyang
  • 2 answers
  • 1.11K views

  • aleks.bulajic1.4896145077506367E12 (Okta, Inc.)

    Hi Yiyang,

     

    Thank you for reaching out today! While we currently do not have documention around integrating the Aviatrix VPN, most factor options should be supported when authenticating to a VPN client via means of the Radius Agent and Radius App:

     

    Radius Agent Deployment https://help.okta.com/en/prod/Content/Topics/DeploymentGuides/Radius_Server_Agent/radius-server-agent-dg.htm

     

    Radius Application - https://help.okta.com/en/prod/Content/Topics/Security/Okta_Radius_App.htm

     

    Cisco ASA VPN Configuration Guide (indicates push is supported but may require adjusting a Timeout duration setting within the VPN configuration settings)  https://support.okta.com/help/Documentation/Knowledge_Article/Cisco-ASA-VPN-Configuration-Guide

     

    As a suggestion, could you confirm if you are able to authenticate with any other factor methods such as SMS or Okta Verify Push, as well as determine if there are any settings available in the Aviatrix configurations where a timeout duration can increased?

     

    If you continue to run into issues, I would definitely suggest opening a case with Support so we can further assist with additional troubleshooting.

     

    Thank you,

     

    Aleks Bulajic

    Technical Support Engineer

    Okta Global Customer Care
    Expand Post

  • j5v7c (j5v7c)

    Hello,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    ​If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

     

    ​Dylann Fezeu

    Okta Help Center Team
    Expand Post
This question is closed.
Loading
Fail to authenticate Aviatrix VPN Client using DUO-enabled Okta