RADIUS common issues and concerns

Troubleshooting common RADIUS issues and concerns

The RADIUS Server agent cannot be installed.

Solutions include:

  • Ensure you are installing on one of the supported Windows or Linux versions for Okta RADIUS.

    • The Okta RADIUS agent can be installed on the following Windows Server versions:

    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022

    Windows versions 2008, 2008 R2 and 2003 R2 are not supported.

    The Okta RADIUS agent has been tested on the following Linux versions:

    • Red Hat Enterprise Linux release 8.0, 8.3
    • CentOS 7.6
    • Ubuntu 18.04.4, 20.04.1 LTS
  • Use the full Okta URL under “Custom” instead of just subdomain under “Production” in the installer.
  • Check for the presence of a proxy server, the RADIUS Server Agent installer is sensitive about proxies.
  • Check for a SSL interception device like a Palo Alto or FireEye. This is related to certificate pinning and affects all agents.
  • Try a different server in the environment just to eliminate any local machine issues.
  • Make sure there are no leftover files under c:\program files (x86)\Okta\Okta RADIUS\ from a previous failed install.
  • Check Windows services.msc to make sure there isn’t a bad Okta RADIUS service leftover from a previous install (rare).
  • Try another version of the RADIUS Server Agent like like the newest EA version.

Unreachable RADIUS agent.
The RADIUS Server Agent is running but the RADIUS client device cannot reach it (note: different than failing logins)

  • Check the Okta RADIUS logs under C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs\ to see if any connections are being made. Any connection, even failed ones, should show up.
  • Double check the server name/server IP entered into the VPN device, just to make sure it was keyed in correctly.
  • Verify the status of the Windows firewall on the Okta RADIUS Server Agent server to make sure it is not blocking the connection.
  • Verify that the VPN device and the server can reach each other via ping or ask for a network admin to verify network connectivity.
  • Configure the RADIUS server using the IP address instead of the hostname. There are networks where DNS is limited and hostnames will not resolve.
  • Determine if network layer issues are preventing connection with network engineer (NTRADPing can be helpful here).

The RADIUS Server Agent is rejecting valid login attempts.

Possible solutions:

  • The RADIUS Server Agent is rejecting valid login attempts
  • Verify the user is assigned to the RADIUS App in Okta.
  • Verify the user is enrolled in MFA.
  • Verify the shared secret on both the Okta RADIUS Server Agent and on the VPN device. A mismatch will cause all authentications to fail.
  • Check the local RADIUS logs.
  • Also look for any errors that could indicate the API token expired.
  • If you see a malformed username in the logs, like the user sent “bob” but the log shows a “Á” this indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled.
  • Check the Okta syslog to see why the connection was rejected.
  • Check VPN device for any settings that could/would restrict login.

When logging in, user is not prompted for preferred factor.

Possible solutions:

  • The server or client doesn’t support RADIUS challenge
  • OpenVPN server does support RADIUS challenge but the free client that is included with it does not support the method and fails.
  • Some versions of Cisco’s AnyConnect VPN client have issues with challenge. It is sporadic and upgrading to the latest version usually fixes it.
  • VMWare View prior to version 5.1 does not support RADIUS challenge.
  • This is not true two-factor auth unless it is paired with AD/LDAP auth! This may or may not be a concern.
  • For information on 2FA (to use only the second factor in MFA), see Using the Okta RADIUS App.

After changing one or more properties, the change is ignored.

Possible solutions:

  • Changes have been made to RADIUS agent config.properties file, but these changes are not being reflected in the RADIUS Agent.
  • The RADIUS Agent must be restarted after making any changes to the config.properties file.
  • Changes made in the associated app in the Okta org do NOT require an agent restart. However, the agent may take a few minutes before it retrieves the updated configuration.
  • For more information about RADIUS Agent properties see the Additional Properties section in Install and configure the Okta RADIUS Server agent on Windows.

This message appears in your logs when the RADIUS Server Agent rejects logins because it's reached the maximum number of request threads and connections it can process.

Possible solution:

  • Update the maximum number of request threads and connections in config.properties. The recommended maximum values are:

    • ragent.num_request_threads=60

    • ragent.num_max_http_connection=80

For more information, see Configure properties, Configure properties, and RADIUS throughput and scaling.