<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00000m4C6g0AEOkta Classic EngineIntegrationsAnswered2025-05-06T20:05:58.000Z2025-05-05T20:16:35.000Z2025-05-06T20:05:58.000Z

TravisF.00774 (Customer) asked a question.

May 5, 2025 at 8:16 PM
Enable Okta RADIUS agent with RadSec for use with Juniper switches requiring TLS RADIUS

After upgrading our Juniper switches to the latest OS, they no longer work with Okta RADIUS server we have in Ubuntu using PAP, Juniper support is telling us we need to enable RADIUS over TLS (RadSec). Does Okta have a solution for this, or would it be simplest to stand up a freeRADIUS ubuntu server in front of our existing Okta RADIUS ubuntu servers currently working with PAP?

  • 3 answers
  • 182 views

  • User17157611498146715886 (Customer Support Online Community and Social Care)

    Hello @TravisF.00774 (Customer)​ , thank you for contacting Okta Community.

     

    It seems like Juniper is no longer supporting PAP. Instead, it is likely requiring EAP and/or message authenticator. You can read more about the Okta Radius agent and how to implement EAP and/or message authenticator here:

    Recommended Update of RADIUS Agent Versions Prior to 2.24.0 and Okta On-Prem MFA Agent Versions Prior to 1.8.0

     

    Regards. 

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Collect them all. Learn a new skill and earn a new Okta Learning badge.

    Expand Post

  • TravisF.00774 (Customer)

    Hello, that's mostly correct, below are the solutions Juniper is offering us to do. We have enabled the Require message-authenticator attribute, and while it is in the header of the first packets, it is not fitting the bill. Apologies, but the arcticle you linked appears to go to updating Okta RADIUS agents, not EAP or message authenticator. Perhaps we did not implement it correctly. We are running Okta RADIUS version 2.24.2 already. We did check the box "Require Message-Authenticator for incoming client requests" within the OKta application, but still was not working.

     

    Unaffected implementations include:

    - EAP based 802.1X Authentications

    - or Protected over TLS such as RadSec

    - or Require Message-Authenticator attribute from every server-client response

     

    Expand Post

    • User17157611498146715886 (Customer Support Online Community and Social Care)

      Hello @TravisF.00774 (Customer)​ , I recommend that you open a Support ticket (Customer Support Account ID number required) so one of our engineers can analyze it and provide in-depth troubleshooting. You could also provide more details in a ticket that shouldn’t be given here, as this is a public space.

      Please note that opening a support ticket is a feature available only to paid accounts. If you do not have a paid account, but are interested in upgrading, you can contact our Sales team

       

      Regards. 

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Collect them all. Learn a new skill and earn a new Okta Learning badge.

      Expand Post
This question is closed.
Loading
Enable Okta RADIUS agent with RadSec for use with Juniper switches requiring TLS RADIUS