RADIUS network zones

When required you can configure Okta to enforce, restrict, or provide different levels of access depending on the IP address, network zone or geolocation of users accessing your RADIUS-enabled system.

When configuring network zones for use with RADIUS, consider the following:

  • Report Client IP attribute: Often a VPN requirement, this attribute is typically set to Calling-Station-Id. For more information see Client IP reporting.
  • Network Zones: Network Zones define security perimeters around which admins can restrict or limit access based on IP address, a range of IP addresses, geo-locations, or more.
    See Network zones and RADIUS service address filtering for more information.Network Zones include both IP zones and dynamic zones.
  • IP Zones: These are typically required to correctly process VPN/WiFi client IP addresses when the Report Client IP attribute is configured. For more information see IP zones and Client IP reporting
  • Geolocation or Dynamic Zones: Dynamic Zones allows admins to define network perimeters around location, IP Type, and Autonomous System Number (ASN).
    For more information see Dynamic zones.
  • Location based block listing: Location-based block listing can deny RADIUS clients access by blocking a Network Zone such as an IP Zone or Dynamic Zone. IP Zones contain a list of IP addresses while Dynamic Zones contain a list of locations, ASNs, or IP types. Both are often used with geo-location based org-wide blocklisting. For more information see Blocklist network zones
  • RADIUS Agent external public-IP address (as seen by Okta): The RADIUS agent external public IP address must be configured as a trusted proxy. If not, Okta treats the RADIUS agent’s IP address as that of the end user, resulting in unexpected behavior.

Contact Okta if any of these features are required but not available in your org.