RADIUS integration

This is where you'll find the information you need to plan and implement your RADIUS integration.

The Okta RADIUS server agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA). It installs as a Windows service and supports the Password AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect. Protocol (PAP).

A RADIUS clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. From here, authentication depends on your orgThe Okta container that represents a real-world organization.'s MFA settings.

  • If MFA is not enabled and the user credentials are valid, the user is authenticated.
  • If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.

The RADIUS application is an independent, Okta-developed appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. that allows for access control on multiple RADIUS configurations. This option also provides the ability to create policy and assign RADIUS authentication to groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. of users.

Get started

Prepare for your RADIUS integration


Implement and manage

Implement and manage RADIUS integrations



Troubleshoot RADIUS integration issues