Configure Palo Alto Networks VPN to interoperate with Okta via RADIUS

This guide details how to configure Palo Alto Networks VPN to use the Okta RADIUS Server Agent.

Okta and Palo Alto Networks interoperate through either RADIUS or SAML 2.0. For each Palo Alto gateway, you can assign one or more authentication providers.

Each authentication profile maps to to an authentication server, which can be RADIUS, TACAS+, LDAP, etc. Using RADIUS, Okta’s agent translates RADIUS authentication requests from the VPN into Okta API calls.

Important Note

Important

This page describes how to integrate using RADIUS integration for Palo Alto Network VPN when running PanOS versions older than 8.0. It does not describe how to integrate using Palo Alto Networks and SAML.  
When running PanOS 8.0, 9.0 or newer integrate using SAML.
For more information see:

Topics

Before you begin

Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity:

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443
HTTP
Configuration and authentication traffic
Client Gateway Okta RADIUS Agent UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration) RADIUS traffic between the gateway (client) and the RADIUS Agent (server)

See Palo Alto Networks VPN supported features and factors for a complete list of supported version, factor and related information.

Typical workflow

Task

Description

Download the RADIUS agent
Install the Okta RADIUS Agent.
  • Install either the Windows or Linux RADIUS agents as appropriate for your environment.
Configure application
Configure gateway
Configure optional settings
Test
Troubleshoot
  • When required troubleshoot the integration.

Related topics