This is where you'll find the information you need to plan and implement your RADIUS integration.
The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).
A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. From here, authentication depends on your org's MFA settings.
- If MFA is not enabled and the user credentials are valid, the user is authenticated.
- If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.
Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.
The RADIUS application is an independent, Okta-developed app that allows for access control on multiple RADIUS configurations. This option also provides the ability to create policy and assign RADIUS authentication to groups of users.