ChuckP.41574 (Customer) asked a question.
I'm trying to replace our existing infrastructure that's running on one system and has Okta ragent v2.19.0 RADIUS server running. I've installed new systems running the current release v2.24.2 but I think I'm missing something.
I can see everything listening properly and doing a tcpdump, I can see the inbound client requests. What I don't see is the challenge response coming back from the server:
16:30:33.666163 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x02 length: 236
16:30:36.666551 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x02 length: 236
16:30:38.669176 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x03 length: 236
16:30:41.679421 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x03 length: 236
16:30:42.689412 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x02 length: 236
16:30:43.682628 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x04 length: 236
16:30:46.699544 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x04 length: 236
16:30:47.709543 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x03 length: 236
And the /opt/okta/ragent/logs/okta_radius.log shows:
2025-05-02 16:30:33 UTC [radius1, pool-2-thread-5] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:33 UTC [radius1, pool-2-thread-5] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2025-05-02 16:30:36 UTC [radius1, pool-2-thread-6] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:36 UTC [radius1, pool-2-thread-6] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2025-05-02 16:30:38 UTC [radius1, pool-2-thread-7] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:38 UTC [radius1, pool-2-thread-7] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2025-05-02 16:30:41 UTC [radius1, pool-2-thread-8] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:41 UTC [radius1, pool-2-thread-8] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2025-05-02 16:30:42 UTC [radius1, pool-2-thread-9] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:42 UTC [radius1, pool-2-thread-9] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2025-05-02 16:30:43 UTC [radius1, pool-2-thread-10] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:43 UTC [radius1, pool-2-thread-10] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2025-05-02 16:30:46 UTC [radius1, pool-2-thread-11] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:46 UTC [radius1, pool-2-thread-11] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
2025-05-02 16:30:47 UTC [radius1, pool-2-thread-12] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing
2025-05-02 16:30:47 UTC [radius1, pool-2-thread-12] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A
I've tried all kinds of things and even brought in a different wireless router that supports pointing to an external RADIUS server and with everything that I've tried, the behavior is the same. So I'm just wondering if I'm missing something in the ragent server configuration.
Thanks in advance for any suggestions!
Hello @ChuckP.41574 (Customer) Thank you for posting on our Community page!
This happens because you are using CHAP for authentication and currently Okta radius does not support this. Please see article below:
https://support.okta.com/help/s/article/Unable-to-Authenticate-Users-to-Cisco-Meraki-ERROR-malformed-RADIUS-packet?language=en_US
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Hi Paul and thanks for the response.
I don't know if that's true, actually. Our Meraki is broadcasting an SSID that points to the old RADIUS 2.19.0 server and it works as expected. I created another SSID that points to the new 2.24.2 server and it doesn't work, reporting the same output as above and the two SSIDs are configured exactly the same.
Is there a way to verify this for sure?
Thanks again!
I should mention that I've also used the working SSID and pointed it to the new RADIUS server and it exhibits the same failure to send the challenge response.
Just to be sure, the only config file I've modified is /opt/okta/ragent/user/radius/config.properties which looks like this:
#version of OKTARadiusAgent
ragent.version=2.24.2
ragent.okta.token = <mytoken>
ragent.okta.api_endpoint = https://mycompany.okta.com
ragent.ssl.pinning = true
ragent.proxy.enabled = false
ragent.id = <myragentId>
There's also the ragent.enc.key that's in /var/lib/ragent/additional-config.properties
Is there anything else?
Thanks again!
Hi @ChuckP.41574 (Customer) In this case I would recommend to Open a case with Support for additional investigation.
Unfortunately, I have and really haven't gotten anywhere.