RADIUS common issues and concerns

The RADIUS server agent doesn't install

Ensure that you're installing on one of the supported Windows or Linux versions for Okta RADIUS.

You can install the Okta RADIUS server agent on the following Windows Server versions:

Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022

Windows versions 2008, 2008 R2 and 2003 R2 aren't supported.

The Okta RADIUS server agent has been tested on the following Linux versions:

Red Hat Enterprise Linux release 8.0, 8.3, 9.0
CentOS 7.6
Ubuntu 18.04.4, 20.04.1 LTS

Use the full Okta URL under Custom instead of subdomain under Production in the installer.
Check for the presence of a proxy server. The RADIUS Server Agent installer may not function correctly if proxies are present.
Check for an SSL interception device like a Palo Alto or FireEye. This is related to certificate pinning and affects all agents.
Try using a different server in the environment to eliminate the possibility that local machine issues are the problem.
Verify that there are no leftover files under c:\program files (x86)\Okta\Okta RADIUS\ from a previous failed installation.
Verify that there's no bad Okta RADIUS service from a previous installation in the Windows services.msc utility.
Try running the newest EA version of the RADIUS Server Agent.
Verify that the length of the secret key is 16 characters or less.

The VPN device can't reach the RADIUS Server Agent

The RADIUS Server Agent is running but the RADIUS client device can't reach it. This is different than failed sign-in attempts.

Check the Okta RADIUS logs in C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs\ to see if any connections have occurred. All connections appear in the logs, including failed ones.
Verify the server name and IP address that were entered into the VPN device are correct.
Verify the status of the Windows firewall on the Okta RADIUS Server Agent server to make sure it isn't blocking the connection.
Verify that the VPN device and the server can reach each other through ping.
Ask a network administrator to verify that network connectivity issues aren't preventing connections. Consider asking them to run NTRADPing for you.
Configure the RADIUS server using the IP address instead of the hostname. There are networks where DNS is limited and hostnames don't resolve.

Correct credentials fail to authenticate

The RADIUS Server Agent is rejecting valid sign-in attempts.
Verify that the user is assigned to the RADIUS app in Okta.
Verify that the user is enrolled in multifactor authentication (MFA).
Verify that the shared secret on both the Okta RADIUS Server Agent and on the VPN device match each other. A mismatch causes all authentications to fail.
Verify that the length of the secret key is 16 characters or less.
Check the local RADIUS logs for signs of unusual activity and errors that indicate that the API token expired.
If you see a malformed username in the logs, it indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled.
Check the Okta System Log to see why the connection was rejected.
Check the VPN device for any settings that could restrict login.

The user wasn't prompted for a preferred factor

The server or client doesn't support the RADIUS challenge.
The OpenVPN server supports a RADIUS challenge, but the free client that is included with it doesn't support the method and sign-in attempts fail.
If you have a Cisco AnyConnect VPN client, consider upgrading it to the latest version.
VMWare View versions 5.1 and earlier doesn't support a RADIUS challenge.
For information on using only the second factor in MFA, see RADIUS applications in Okta.

Changes to the RADIUS agent config.properties aren't taking effect

Changes have been made to the RADIUS agent config.properties file, but these changes aren't reflected in the RADIUS Agent.
Restart the RADIUS Agent after changing the config.properties file.
If you change the associated app in the Okta org, you don't need to restart the agent. However, it takes several minutes for the agent to receive the updated configuration.
For more information about RADIUS Agent properties see Install Okta RADIUS server agent on Windows.

The request queue is full

This message appears in your logs when the RADIUS Server Agent rejects sign-in attempts. It appears because the agent has reached the maximum number of request threads and connections that it can process.

Update the maximum number of request threads and connections in config.properties. These are the recommended maximum values:
- ragent.num_request_threads=60
- ragent.num_max_http_connection=80