Install the Okta RADIUS Agent

If you're uninstalling and reinstalling an Okta RADIUS agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations., you must decide if you want to remove the old Okta API token. Installing the Okta RADIUS agent does not overwrite existing configuration data in the Okta RADIUS agent folder. To remove the API token, you need to delete the Okta RADIUS agent folder and then deactivate and remove your old Okta RADIUS agent.




When installing the RADIUS Agent you must be logged in as one of the with Read-only AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page., Mobile Admin, App adminAn app admin can be granted access to all instances of an app, or just specific instances of that application. This allows for more granular access control., or Super admin roles.
In addition, Okta recommends the use of dedicated service account to authorize RADIUS agents. A dedicated account ensures that the API token used by the RADIUS agent is not tied to the life-cycle of a specific user account which could be deactivated when the user is deactivated. In addition, service accounts used for RADIUS agents must be given appropriate admin permissions.

Please refer to the Administrators permission table (MFA section) for specific permissions required.

  1. From your Administrator Dashboard, select Settings > Downloads > Okta RADIUS Server Agent.

  2. Click the Download button and run the Okta RADIUS installer.

  3. Proceed through the installation wizard to the "Important Information" and "License Information" screens.

  4. Choose the Installation folder and click the Install button.

  5. On the Okta RADIUS Agent Configuration screen, enter your RADIUS Shared Secret key and RADIUS Port number. If you are using the RADIUS application, these elements are not required.



    Avoid the use of special characters when entering the shared secret. Certain special characters can cause the installation to fail with Error Code: 3.

  6. On the Okta RADIUS Agent Proxy Configuration screen, you can optionally enter your proxy information. Click the Next button.

  7. On the Register Okta RADIUS Agent screen, enter the following: Choose your orgThe Okta container that represents a real-world organization. version.

  8. If setting this up to test on your Okta Preview SandboxA sandbox environment that you request from Okta. This sandbox is an org that lives in oktapreview. It gives you complete access to a fully functioning version of Okta to test things like AD integrations and application configurations prior to pushing them out to your full set of users. org, you'll need to enter the complete URL for your org. For example:

    • Enter Subdomain – For example, if you access Okta using, enter "mycompany", as described below.
  9. For Windows Server 2008 R2 Core only: Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.

  10. Click the Next button to continue on to an Okta Sign In page.
  11. Sign into the service specific Okta account on the Sign In screen.
  12. Click the Allow Access button.
  13. Radius_7.jpg

  14. The confirmation screen appears. Click the Finish button to complete the installation.

Note: If during the agent installation you encounter Error code 12: Could not establish trust relationship for the SSL/TLS service channel, ensure that you are running the latest version of the agent as older agent versions do not support TLS 1.2.