Install and configure the Okta RADIUS Server agent on Windows
The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).
A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. After which, depending org settings:
- If MFA is not enabled and the user credentials are valid, the user is authenticated.
- If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (e.g., Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.
Note: Some applications or services (i.e. AWS Workspace) do not actually provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (i.e. Okta Verify and Yubikey), there is no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.
Supported Operating Systems
The Okta RADIUS agent can be installed on the following Windows Server versions:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Windows versions 2008, 2008 R2 and 2003 R2 are not supported.
Note: If you are running Windows Server 2008 R2 Core, note the additional step under Installing the Okta RADIUS Agent.
Upgrading to Version 2.2.0 and later and SSL Pinning
RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, providing an extra layer of security. SSL pinning is not enabled by default for current users upgrading to the new agent. If upgrading from an agent version prior to v2.2.0, do the following after the upgrade.
The following steps should not be performed for agents on a network containing a web security appliance.
- Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
- From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.
- Append the following line to the end of the file: ragent.ssl.pinning = true
- Save the file.
- Restart the Okta RADIUS Agent service using the available Windows administrative tools.
This process restricts agent communication to only servers which can present valid certificates with public keys known to the new agents.
|Download the RADIUS agent||
|Configuring RADIUS apps||
|Installing the agent|
|Configure additional properties|
|Manage the agent|
|Access and manage log files|
|Uninstall the agent|