ts2ql (ts2ql) asked a question.
Hi guys,
does the Okta Radius app have a way to use the CHAP or CHAPv2 protocol and not PAP?
PAP is kinda ancient and also poses security risks due to the no encryption whatsoever.
We are trying to integrate a solution with UniFI Access points, and they still sent their requests in CHAP:
2022-03-09 19:59:25 UTC [nexo-okta-agent-1, pool-2-thread-4] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2022-03-09 19:59:25 UTC [nexo-okta-agent-1, pool-2-thread-4] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2022-03-09 19:59:28 UTC [nexo-okta-agent-1, pool-2-thread-5] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2022-03-09 19:59:28 UTC [nexo-okta-agent-1, pool-2-thread-5] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
from the documentation:
"If you see a malformed username in the logs, like the user sent “bob” but the log shows a “Á” this indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled."
My second question is: Can you give advice, about how we can integrate UniFI Controller with OKTA and how to add the VPNs when the client users are all with macOS.
Best Regards!
Zinovi
Hello @ts2ql (ts2ql)
Thanks for posting.
does the Okta Radius app have a way to use the CHAP or CHAPv2 protocol and not PAP?
Unfortunately, this is not supported at the moment, We are continually hoping to provide the best customer experience, so perhaps you would like to share your use case to implement this functionality in a future release. The best method for getting our Product Managers’ attention is to submit an idea to the community site. Once ideas are submitted, they are visible to other Okta admins, who can vote on them to provide more visibility and allow you to monitor the potential for future enhancements.To Create an Idea:1. Go to https://ideas.okta.com/
2. Enter your Okta tenant name and click "Go" (if necessary)
3. Sign in and search the Ideas page for existing feature requests to upvote, or click “Make a suggestion” to submit your own
4. Encourage the other admins in your org to upvote the idea as well
https://support.okta.com/help/s/article/Okta-Ideas-Overview-FAQ
Can you give advice, about how we can integrate UniFI Controller with OKTA
This document will provide you some guidance: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-unifi.html
Let us know if this helps you.
Daniela Chavarria.
Okta Inc.
Just worked with Okta Support and the Okta Radius only support pap, and nothing with EAP