Install and configure the RADIUS agent in AWS

During this task we will configure the install and configure the RADIUS agent into an AWS instance.

Before you begin

  • Ensure that you have the common UDP port and secret key values available.
    Port 1899 is used throughout this integration.

Install the RADIUS Agent

Important Note

Important

The following steps should be completed on the AWS instance described as Instance B.

Caution

Caution

When installing the RADIUS Agent you must be logged in to an account which has all three of Read-only Admin, Mobile Admin, and App admin roles, or Super admin role.
In addition, Okta recommends the use of dedicated service account to authorize RADIUS agents. A dedicated account ensures that the API token used by the RADIUS agent is not tied to the life-cycle of a specific user account which could be deactivated when the user is deactivated. In addition, service accounts used for RADIUS agents must be given appropriate admin permissions.

Please refer to the Administrators permission table (MFA section) for specific permissions required.

  1. From your Administrator Dashboard, select Settings > Downloads > Okta RADIUS Server Agent.

  2. Click the Download button and run the Okta RADIUS installer.

  3. Proceed through the installation wizard to the "Important Information" and "License Information" screens.

  4. Choose the Installation folder and click the Install button.

  5. On the Okta RADIUS Agent Configuration screen, enter your RADIUS Shared Secret key and RADIUS Port number. If you are using the RADIUS application, these elements are not required.

    Info

    Note

    As of EA version 2.9.6 EA RADIUS Shared Secret and Port are not required. When installing the RADIUS Agent v2.9.6 EA or later these screens will be not be displayed.

    Info

    Note

    Avoid the use of special characters when entering the shared secret. Certain special characters can cause the installation to fail with Error Code: 3.

  6. On the Okta RADIUS Agent Proxy Configuration screen, you can optionally enter your proxy information. Click the Next button.

  7. On the Register Okta RADIUS Agent screen, enter the following: Choose your org version.

  8. If setting this up to test on your Okta Preview Sandbox org, you'll need to enter the complete URL for your org. For example: https://mycompany.oktapreview.com

    • Enter Subdomain – For example, if you access Okta using https://mycompany.okta.com, enter "mycompany", as described below.
      • Production - Select Production and enter a production domain.
        For example: mycompany.okta.com.
      • Preview- Select preview and enter a preview domain.
        For example: mycompany.oktapreview.com.
      • Custom- Select custom and enter a custom domain.
        For example: mycompany.mydomain.com[:port].
  9. For Windows Server 2008 R2 Core only: Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.

  10. Click the Next button to continue on to an Okta Sign In page.
  11. Sign into the service specific Okta account on the Sign In screen.
  12. Click the Allow Access button.
  13. Radius_7.jpg

  14. The confirmation screen appears. Click the Finish button to complete the installation.
    Info

    Note

    If during the agent installation you encounter Error code 12: Could not establish trust relationship for the SSL/TLS service channel, ensure that you are running the latest version of the agent as older agent versions do not support TLS 1.2.

  15. Configure a RADIUS app in Okta to configure the RADIUS agent port, shared secret, and advanced RADIUS settings .
    For more information about configuring the RADIUS App in your okta tenant please see RADIUS applications in Okta

Additional Property Configurations

You can override the defaults on the following properties, if desired.

Important Note

Important

Changes to the RADIUS Agent config.properties are only loaded on agent restart.
Always restart your agent after changing config.properties.

  1. Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
  2. From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.
  3. Configure any of the properties shown below, as required.
  4. When done, save the file.
  5. Any changes are effective after restarting the Okta RADIUS Agent service using the available Windows administrative tools.
Property Description Default
ragent.num_max_http_connection The maximum number of HTTP connections in the connection pool. 20
ragent.num_request_threads The number of authentication worker threads available for processing requests. 15
ragent.total.request.timeout.millisecond

The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.

 

For the Okta Verify with Push factor the actual value is interpreted by the RADIUS agent as one half (1/2) of the configured value.
For example: 60000 =60 seconds, divided in half =30 seconds.

For all other factors the value is used as specified.


60000
ragent.request.timeout.millisecond The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.

If specified, ragent.total.request.timeout.millisecond is ignored.
If not specified, default is to use ragent.total.request.timeout.millisecond.

Available since version 2.9.4.
N/A defaults to value specified by ragent.total.request.timeout.millisecond
ragent.okta.request.max.timeout.millisecond

The socket timeout to set on the Okta API request. This property only applies if configured; otherwise, it is computed dynamically based on the total request timeout setting.

Dynamic, based on remaining TTL for request
ragent.request.timeout.response.mode

The timeout response mode. Possible values include:

  • SEND_REJECT_ALWAYS - agent sends a reject message to the client after any timeout..
  • SEND_REJECT_ON_POLL_MFA- agent sends a reject message to the client if a timeout occurs during the MFA polling loop only (i.e. while the agent is polling Okta to determine if the user has correctly responded to an MFA challenge such as a push notification). If a timeout occurs at any other time, no response will be sent to the client.
  • NO_RESPONSE - no response will be sent to the client when the agent times out.
SEND_REJECT_ON_POLL_MFA
ragent.mfa.timeout.seconds Time, in seconds, that the agent will wait for the client to respond to an MFA challenge such as factor selection. 60
Important Note

Important

When using the RADIUS agent with a VPN such as Cisco ASA VPN the following timeout values should be configured on both RADIUS Agent and VPN settings:

RADIUS agent v2.9.3 and earlier with out Okta Verify Push. ragent.total.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries

 

RADIUS agent v2.9.3 with Okta Verify Push. ragent.total.request.timeout.millisecond = 2 * (VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries)

 

RADIUS agent v 2.9.4 and later. ragent.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries

Note:

  • VPN retry count should be between 3-5.
  • VPN request timeout should be 15-60s, (60-120s when using Okta Verify Push).

For example, where:

  • VPN retry = 5x
  • VPN request timeout = 60s
  • VPN wait between retry = 5s

Then, VPN authentication timeout = 5 * (60 + 5) + 5 = 320s, or 320000ms
RADIUS agent v2.9.3 and earlier with Okta Verify Push: ragent.total.request.timeout.millisecond = 320000.

RADIUS agent v 2.9.4 and later: ragent.request.timeout.millisecond =320000.

The following properties apply to proxy configuration only.

Property Description Default
ragent.proxy.enabled Indicates that the RADIUS agent should use a proxy. Must be set to true.
Example: ragent.proxy.enabled = true.
Default: Not present must be added to config.properties.
ragent.proxy.address The IP address and port( if required) of the proxy. If ragent.proxy.enabled is set to true this property must exist.
Example: ragent.proxy.address = 127.0.0.1:8888

Default: Not present must be added to config.properties.

ragent.ssl.pinning If the proxy terminates the SSL connection, then SSL pinning must be disabled.
Example:
ragent.ssl.pinning = false
Default: true.
ragent.proxy.user
ragent.proxy.password
Proxy credentials, if required.
Encrypted on agent restart.
ragent.proxy.user = admin
ragent.proxy.password = password
Default: Not present must be added to config.properties.


For a complete list of all steps as well as detained steps for installing the Okta RADIUS agent see: