Install Okta RADIUS server agent on Windows

The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multifactor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).

A RADIUS client sends the credentials of a user who's requesting access to the client to the RADIUS agent. Authentication requests are processed based on the org settings:

  • If MFA is disabled and the user credentials are valid, the user is authenticated.
  • If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one and obtains a request for a validation code. If the code is correct, the user gains access.

Some applications or services, like AWS Workspace, don't provide an MFA selection when signing in. Instead, they ask for the MFA code in addition to the user's username and password. If the user has enrolled in more than one factor, there's no need for the user to specify which factor they're using. Each handler processes their code until it's validated.

Prerequisites

Operating systems

You can install the Okta RADIUS server agent on the following Windows Server versions:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Windows versions 2008, 2008 R2 and 2003 R2 aren't supported.

Browser

The Okta RADIUS server agent uses Microsoft Edge as the default built-in browser.

Use SSL pinning

RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, which provides an extra layer of security. SSL pinning isn't enabled by default in earlier versions.

If you upgrade from an agent version earlier than version 2.2.0, do the following procedure after the upgrade. This process restricts agent communication only to servers that can present valid certificates with public keys known to the new agents.

Don't do this procedure for agents on a network that has a web security appliance on it.

  1. Open the folder where the Okta RADIUS server agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
  2. Open the current\user\config\radius\ folder and create backup copies of the config.properties and additional-config.properties files.
  3. Open the current\user\config\radius\config.properties file in a text editor.
  4. Append the following line to the end of the file:

    ragent.ssl.pinning = true

  5. Save the file.
  6. Restart the Okta RADIUS server agent service using the Windows administrative tools.

Typical workflow

Task

Description
Download the Okta RADIUS server agent
  1. In the Admin Console, go to SettingsDownloads.
  2. Click the Download Latest link next to the RADIUS installer that you want to download. Make a note of the installer's file size and SHA-512 hash as they appear on the Downloads page.
  3. Use one of the following commands to generate the hash on your local machine. Replace setup in the commands with the file path to your downloaded agent:
    • Linux: sha512sum setup.rpm
    • macOS: shasum -a 512 setup.rpm
    • Windows: CertUtil -hashfile setup.exe SHA512
  4. Verify that the generated hash matches the hash on the Downloads page.
Enable RADIUS authentication with Okta Install the Okta RADIUS server agent and configure RADIUS apps in the Admin Console. These apps allow Okta to distinguish between different RADIUS-enabled apps and then support them concurrently. Okta RADIUS apps also let you create policies and assign apps to groups.

See RADIUS applications in Okta.
Install the agent Install the RADIUS Windows agent
Configure additional properties Configure properties
Manage the agent Open the Okta RADIUS Agent Manager to change the Shared Secret, RADIUS Port, and Proxy settings using the ProgramsOkta RADIUS Agent Manager menu.
Access and manage log files Access and manage log files

Troubleshoot

 Troubleshoot the Windows RADIUS agent
Uninstall the agent Uninstall the Windows RADIUS agent