Add and configure On-Prem MFA/RSA SecurID

Before installing the agent, you must configure:

  • MFA factors
  • RSA SecurID or On-Prem MFA

Configure factors

  1. Sign in to your Okta tenant as an administrator.

  2. In the Admin Console, go to SecurityMultifactor.

  3. Select the Factor Types tab.
  4. Choose On-Prem MFA or RSASecurID.

  5. Click Edit.

Configure On-prem MFA

  1. Select the Factor Types tab.
  2. Select the On-Prem MFA factor, and click Edit.
  3. Enter the following fields:
    • Provider name: This is the name that appears to end users during their login challenge.
    • Provider username format: Select the format expected by the provider.

      Custom is not supported with On Prem MFA.

    • Hostname: The server host name or IP address of the RSA server.
    • Authentication Port: The RADIUS server port (for example 1812). This is defined when the On-Prem RADIUS server is configured.
    • Shared Secret: An authentication key that must be defined when the RADIUS server is configured, and must be the same on both the RADIUS client and server.
  4. Click Add New Agent. Note the value of the Instance ID. You're also provided with a download link for the on-prem MFA agent installer.
  5. Click Save.
  6. Change the factor state to Active, if required.

Configure RSA SecurID

  1. Select the Factor Types tab.
  2. Select the RSA SecurID factor, and click Edit.
  3. If prompted, click Enable RSA SecurID, then click Edit.
  4. Enter the following fields:
    • RSA username format: Select the format expected by the provider.
    • Hostname: The server host name or IP address.
    • Authentication Port: The RADIUS server port (for example, 1812). This is defined when the On-Prem RADIUS server is configured.
    • Shared Secret: An authentication key that must be defined when the RADIUS server is configured, and must be the same on both the RADIUS client and server.
  5. Click Add New Agent. Note the value of the instance ID. You're also provided with a download link for the agent installer.
  6. Enable or Disable as required.
  7. Click Save.

Ensure that you've configured a RADIUS client on the RSA server and that the client is configured to reference the server that's running the Okta RADIUS agent.

Next steps

Disable SSL Pinning