<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00000ktFd10AEOkta Classic EngineIntegrationsAnswered2025-05-05T15:10:26.000Z2025-05-02T17:20:09.000Z2025-05-05T15:10:26.000Z

ChuckP.41574 (Customer) asked a question.

May 2, 2025 at 5:20 PM
How do you configure the Okta ragent RADIUS server?

I'm trying to replace our existing infrastructure that's running on one system and has Okta ragent v2.19.0 RADIUS server running. I've installed new systems running the current release v2.24.2 but I think I'm missing something.

 

I can see everything listening properly and doing a tcpdump, I can see the inbound client requests. What I don't see is the challenge response coming back from the server:

 

16:30:33.666163 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x02 length: 236

16:30:36.666551 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x02 length: 236

16:30:38.669176 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x03 length: 236

16:30:41.679421 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x03 length: 236

16:30:42.689412 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x02 length: 236

16:30:43.682628 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x04 length: 236

16:30:46.699544 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x04 length: 236

16:30:47.709543 ens5 In IP my.source.ip.26600 > ip-172-25-11-39.ec2.internal.radius: RADIUS, Access-Request (1), id: 0x03 length: 236

 

And the /opt/okta/ragent/logs/okta_radius.log shows:

 

2025-05-02 16:30:33 UTC [radius1, pool-2-thread-5] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:33 UTC [radius1, pool-2-thread-5] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

2025-05-02 16:30:36 UTC [radius1, pool-2-thread-6] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:36 UTC [radius1, pool-2-thread-6] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

2025-05-02 16:30:38 UTC [radius1, pool-2-thread-7] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:38 UTC [radius1, pool-2-thread-7] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

2025-05-02 16:30:41 UTC [radius1, pool-2-thread-8] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:41 UTC [radius1, pool-2-thread-8] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

2025-05-02 16:30:42 UTC [radius1, pool-2-thread-9] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:42 UTC [radius1, pool-2-thread-9] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

2025-05-02 16:30:43 UTC [radius1, pool-2-thread-10] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:43 UTC [radius1, pool-2-thread-10] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

2025-05-02 16:30:46 UTC [radius1, pool-2-thread-11] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:46 UTC [radius1, pool-2-thread-11] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

2025-05-02 16:30:47 UTC [radius1, pool-2-thread-12] : ERROR - malformed RADIUS packet. Exception message: Access-Request: User-Password or CHAP-Password/CHAP-Challenge missing

2025-05-02 16:30:47 UTC [radius1, pool-2-thread-12] : INFO - Completed processing. packetId=0, totalProcessingTime=0ms, queueTime=0ms, oktaTime=0ms, httpCode=N/A, result=FAILED, remoteAddress=N/A

 

I've tried all kinds of things and even brought in a different wireless router that supports pointing to an external RADIUS server and with everything that I've tried, the behavior is the same. So I'm just wondering if I'm missing something in the ragent server configuration.

 

Thanks in advance for any suggestions!

  • 5 answers
  • 160 views

  • Paul S. (Okta, Inc.)

    Hello @ChuckP.41574 (Customer)​ Thank you for posting on our Community page!

     

    This happens because you are using CHAP for authentication and currently Okta radius does not support this. Please see article below:

    https://support.okta.com/help/s/article/Unable-to-Authenticate-Users-to-Cisco-Meraki-ERROR-malformed-RADIUS-packet?language=en_US

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge

    Expand Post

  • ChuckP.41574 (Customer)

    Hi Paul and thanks for the response.

     

    I don't know if that's true, actually. Our Meraki is broadcasting an SSID that points to the old RADIUS 2.19.0 server and it works as expected. I created another SSID that points to the new 2.24.2 server and it doesn't work, reporting the same output as above and the two SSIDs are configured exactly the same.

     

    Is there a way to verify this for sure?

     

    Thanks again!

    Expand Post

  • ChuckP.41574 (Customer)

    I should mention that I've also used the working SSID and pointed it to the new RADIUS server and it exhibits the same failure to send the challenge response.

     

    Just to be sure, the only config file I've modified is /opt/okta/ragent/user/radius/config.properties which looks like this:

     

    #version of OKTARadiusAgent

    ragent.version=2.24.2

    ragent.okta.token = <mytoken>

    ragent.okta.api_endpoint = https://mycompany.okta.com

    ragent.ssl.pinning = true

    ragent.proxy.enabled = false

    ragent.id = <myragentId>

     

    There's also the ragent.enc.key that's in /var/lib/ragent/additional-config.properties

     

    Is there anything else?

     

    Thanks again!

    Expand Post

    • Paul S. (Okta, Inc.)

      Hi @ChuckP.41574 (Customer)​  In this case I would recommend to Open a case with Support for additional investigation.

      • ChuckP.41574 (Customer)

        Unfortunately, I have and really haven't gotten anywhere.

This question is closed.
Loading
How do you configure the Okta ragent RADIUS server?