31ua7 (31ua7) asked a question.
Okta Radius Agent - How to remove MFA for one client
Hi,
I'm trying to configure RADIUS authentication, but the client initiating the authentication is not compatible with MFA and the authentication is not working.
Is there a way to disable MFA for one specific client ?
2020-01-03 09:31:34 UTC [xx-xx-xxxxxx, pool-1-thread-2, radiusRequestId=.........., user=xxxxxxxxxxxxx@xxx.xx, requestType=primary] : INFO - Begin processing of Access-Request, client=/xx.xx.xxx.xx:1812, packetId=95, method=PAP
2020-01-03 09:31:34 UTC [xx-xx-xxxxxx, pool-1-thread-2, radiusRequestId=.........., user=xxxxxxxxxxxxx@xxx.xx, requestType=primary] : INFO - Challenge requested: Select a factor to enroll in: 1 - Push, 2 - SMS. Enter '0' to abort.
Your 2nd log entry says, "select a factor to enroll in", which sounds as if the user is not yet enrolled in any MFA factors, so when you say the RADIUS client is not compatible with MFA, is it just not compatible with in-line enrollment? I think in-line enrollment is a relatively new feature (it my not even be GA yet, but I haven't looked into it), and it's quite possible that some RADIUS clients don't support that feature. Is it possible to have the user log in with a web browser, enroll their MFA factor, sign out, then sign back in via RADIUS and use the enrolled MFA factor? That's essentially what we have our remote support team members do before they're permitted to access our on-premises resources by connecting to our VPN, which authenticates via RADIUS and requires MFA.