Install and configure the Okta RADIUS Server agent

The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).

For best practices, see Okta RADIUS Server Agent Deployment Best Practices.

A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. From here, authentication depends on your org's MFA settings.

  • If MFA is not enabled and the user credentials are valid, the user is authenticated.
  • If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (e.g., Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.

To Obtain the RADIUS Agent:

Check the Downloads page to determine this agent's file size and SHA-512 hash. You can use the file size and hash to verify the integrity of the files.

  1. In the Admin Console, go to Settings > Downloads.
  2. Select the Download link next to the RADIUS application.
  3. Use one of the following commands to generate the hash on your local machine. Note that you should replace setup with the file path to your downloaded agent.
    • Linuxsha512sum setup.rpm
    • MacOSshasum -a 512 setup.rpm
    • WindowsCertUtil -hashfile setup.exe SHA512
  4. Verify that the generated hash matches the hash on the Downloads page.