RADIUS network zones

When required you can configure Okta to enforce, restrict, or provide different levels of access depending on the IP address, network zone or geolocation of users accessing your RADIUS-enabled system.

When configuring network zones for use with RADIUS consider the following:

  • Report Client IP attribute- Often a VPN requirement. Typically set to Calling-Station-Id. For more information see Client IP reporting.
  • Network Zones - Network Zones define security perimeters around which admins can restrict or limit access based IP address, a range of IP addresses, geo-locations or more.
    See About Network Zones and RADIUS service address filtering for more information. Includes both IP Zones and Dynamic zones.
  • IP Zones - Typically required to correctly process VPN/WiFi client IP addresses when the Report Client IP attribute is configured. For more information see About IP Zones and Client IP reporting
  • Geolocation or Dynamic Zones - Dynamic Zones allows admins to define network perimeters around location, IP Type and Autonomous System Number (ASN).
    For more information see About Dynamic Zones.
  • Location based block listing - Location based block listing can deny RADIUS clients access by blocking a Network Zone such as an IP Zone or Dynamic Zone. IP Zones contain a list of IP addresses while Dynamic Zones contain a list of locations, ASNs, or IP types. Often used with geo-location based org-wide block listing.
    For more information see Blocklist Network Zones
  • RADIUS Agent external public-IP address (as seen by Okta) - The RADIUS agent external public IP address must be configured as a trusted proxy. If not, Okta will treat the RADIUS agent’s IP address as that of the end-user, resulting in unexpected behavior.
Note

Contact Okta if any of these features are required but not available in your org.