Install and configure the Okta RADIUS agent on Linux

This document describes the process of installing the Okta RADIUS Agent on Linux operating systems.

This is an Early Access feature. To enable it, contact Okta Support.

The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA).

A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. Authentication then depends on your org's MFA settings.

If MFA is not enabled and the user credentials are valid, the user is authenticated.
If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (e.g., Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Topics

Install and configure the Okta RADIUS agent on Linux
Requirements and limitations
Typical workflow

Supported Operating Systems

The Okta RADIUS agent has been tested on the following Linux versions:

Red Hat Enterprise Linux release 8.0
CentOS 7.6
Ubuntu 18.04.4

Requirements and limitations

Before you Begin

You must be able to sign in as root, or be able to execute root level commands using commands such as sudo.
During installation you are prompted to enter your Okta URL, for example https://mycompany.okta.com, and you'll be required to authenticate as an admin.
Have your Okta tenant URL and admin credentials available and ready for use.
For more information about Okta RADIUS Agent Deployment, see Getting started with Okta RADIUS Integrations and Okta RADIUS Server Agent Deployment Best Practices. For general information about Okta’s RADIUS Integrations, please see Okta RADIUS Integrations.

Caution

When installing the RADIUS Agent you must be logged in to an account which has all three of Read-only Admin, Mobile Admin, and App admin roles, or Super admin role.
In addition, Okta recommends the use of dedicated service account to authorize RADIUS agents. A dedicated account ensures that the API token used by the RADIUS agent is not tied to the life-cycle of a specific user account which could be deactivated when the user is deactivated. In addition, service accounts used for RADIUS agents must be given appropriate admin permissions.

Please refer to the Administrators permission table (MFA section) for specific permissions required.

Known Limitations

Proxy configurations must be configured directly in the agent configuration file.

Typical workflow

Task	Description
Download the RADIUS agent	In the Admin Console, go to Settings > Downloads. Select the Download link next to the RADIUS application. Use one of the following commands to generate the hash on your local machine. Note that you should replace setup with the file path to your downloaded agent. Linux: sha512sum setup.rpm MacOS: shasum -a 512 setup.rpm Windows: CertUtil -hashfile setup.exe SHA512 Verify that the generated hash matches the hash on the Downloads page.
Configuring RADIUS apps	To enable RADIUS authentication with Okta, you must install the Okta RADIUS server agent and configure one or more RADIUS applications in the Okta admin console. Admin console RADIUS applications allow Okta to distinguish between different RADIUS-enabled apps and support them concurrently. In addition, Okta RADIUS applications support policy creation and assignment of the application to groups. For more information on configuring the RADIUS App see RADIUS applications in Okta.
Installing the agent	Install the RADIUS LINUX agent
Configure proxies	Configure Proxies
Configure additional properties	Configure properties
Restart the agent	After any upgrade always stop and restart the RADIUS agent. See restart in Manage the agent
Manage the agent	Manage the agent
Access and manage log files	Access and managing log files
Uninstall the agent	Uninstall the agent