Install and configure the Okta RADIUS Server agent on Windows

The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication> (SFA) or multi-factor authentication(MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).

A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. After which, depending org settings:

  • If MFA is disabled enabled and the user credentials are valid, the user is authenticated.
  • If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (e.g., Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.

Supported Operating Systems

The Okta RADIUS agent can be installed on the following Windows Server versions:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019

Windows versions 2008, 2008 R2 and 2003 R2 are not supported.

Requirements and limitations

Upgrading to Version 2.2.0 and later and SSL Pinning

RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, providing an extra layer of security. SSL pinning is not enabled by default for current users upgrading to the new agent. If upgrading from an agent version prior to v2.2.0, do the following after the upgrade.


The following steps should not be performed for agents on a network containing a web security appliance.

  1. Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
  2. From this folder, navigate to current\user\config\radius\ Before making changes, we recommend creating a back up of and Using a text application such a Notepad, open the file current\user\config\radius\ residing in the Okta RADIUS agent installation folder.
  3. Append the following line to the end of the file: ragent.ssl.pinning = true
  4. Save the file.
  5. Restart the Okta RADIUS Agent service using the available Windows administrative tools.

This process restricts agent communication to only servers which can present valid certificates with public keys known to the new agents.

Typical workflow



Download the RADIUS agent
  1. In the Admin Console, go to Settings > Downloads.
  2. Select the Download link next to the RADIUS application.
  3. Use one of the following commands to generate the hash on your local machine. Note that you should replace setup with the file path to your downloaded agent.
    • Linuxsha512sum setup.rpm
    • MacOSshasum -a 512 setup.rpm
    • WindowsCertUtil -hashfile setup.exe SHA512
  4. Verify that the generated hash matches the hash on the Downloads page.
Configuring RADIUS apps
  • To enable RADIUS authentication with Okta, you must install the Okta RADIUS server agent and configure one or more RADIUS applications in the Okta admin console. Admin console RADIUS applications allow Okta to distinguish between different RADIUS-enabled apps and support them concurrently. In addition, Okta RADIUS applications support policy creation and assignment of the application to groups.
    For more information on configuring the RADIUS App see RADIUS applications in Okta.

Installing the agent
Configure additional properties
Manage the agent
  • You can open the Okta RADIUS Agent Manager to make changes to the Shared Secret, RADIUS Port, and Proxy settings using Programs > Okta RADIUS Agent Manager.
Access and manage log files


Uninstall the agent