Enable the Agent

During this task we will enable the appropriate On-Prem MFA or RSA SecurID agent.

To enable the On-Prem MFA agent or RSA SecurID, complete the following steps:

  1. From your Administrative Dashboard navigate to Security > Multifactor.
  2. Select the Factor Types tab.
  3. Click the Edit button. The On-Prem MFA factor is not selectable at this time, unless you have set up this factor previously. Select either the RSA SecurID link or the Custom link to continue; the boxes are not selectable, unless you have set up the factor previously.

For RSA SecurID

  1. In the RSA Security Console, click RADIUS> RADIUS Clients> Add New.
  2. Enter Client Name.
  3. Do not Select Any Client.
  4. In the IP Address Type field, select the RADIUS client IP address type that is required by your agents.
  5. Select IPv4 or IPv6.
  6. In the IPvX Address field, enter the IP address of the okta MFA client.
  7. In the Make/Model drop-down list, select the Standard Radius type of RADIUS client.
  8. In the Shared Secret field, enter: yoursecretpassphrasehere.
  9. Select Client Status.
  10. a. Inactivity Time = 10 (suggested value from RSA).

  11. In the Notes field, enter whatevernotesyouwanttoputinRSA.
  12. Click Save and Create Associated RSA Agent.
  13. On the next screen, click Save Agent.

Repeat as needed for backup servers.

For Custom

  1. Click the On-Prem MFA link in the Configure information box.
  2. On the On-Prem MFA page, click the Edit button in the On-Prem Multifactor Authentication Settings section.
  3. Enter the on-prem provider name.
  4. Select the preferred provider username format.
  5. Enter the Hostname, Authentication port, and Shared secret fields.
  • Custom On-prem provider name: This is the name that appears to end users during their login challenge.
  • Provider username format: Select the format expected by the provider.


    Custom is not supported with On Prem MFA.

  • Hostname: The server host name or IP address.
  • Authentication Port: The RADIUS server port (e.g., 1812). This is defined when the On-Prem RADIUS server is configured.
  • Shared Secret: An authentication key that must be defined when the RADIUS server is configured, and must be the same on both the RADIUS client and server.
  1. Click the Add New Agent link.
  2. Click the Save button.