Configure Palo Alto Networks VPN to interoperate with Okta via RADIUS
This guide details how to configure Palo Alto Networks VPN to use the Okta RADIUS Server Agent.
Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers.
Each authentication profile maps to to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

Important
This page describes how to integrate using RADIUS integration for Palo Alto Network VPN when running PanOS versions older than 8.0. It does not describe how to integrate using Palo Alto Networks and SAML.
When running PanOS 8.0, 9.0 or newer integrate using SAML.
For more information see:
Topics
Before you begin
Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity:
Source | Destination | Port/Protocol | Description |
---|---|---|---|
Okta RADIUS Agent | Okta Identity Cloud | TCP/443 HTTP |
Configuration and authentication traffic |
Client Gateway | Okta RADIUS Agent | UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration) | RADIUS traffic between the gateway (client) and the RADIUS Agent (server) |
See Palo Alto Networks VPN supported features and factors for a complete list of supported version, factor and related information.
Typical workflow
Task |
Description |
---|---|
Download the RADIUS agent |
|
Install the Okta RADIUS Agent. | |
Configure application |
|
Configure gateway |
|
Configure optional settings |
|
Test | |
Troubleshoot |
|
Related topics
- SAML vs RADIUS interoperability
- Installing the Okta RADIUS Agent under Windows or Linux.