RADIUS common concerns

Troubleshooting Common RADIUS Issues



RADIUS Server Agent will not install

  • Ensure you are installing on one of the supported Windows or Linux versions for Okta RADIUS.
  • The Okta RADIUS agent can be installed on the following Windows Server versions:

    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019

    Windows versions 2008, 2008 R2 and 2003 R2 are not supported.

    The Okta RADIUS agent has been tested on the following Linux versions:

    • Red Hat Enterprise Linux release 8.0, 8.3
    • CentOS 7.6
    • Ubuntu 18.04.4, 20.04.1 LTS
  • Use the full Okta URL under “Custom” instead of just subdomain under “Production” in the installer.
  • Check for the presence of a proxy server, the RADIUS Server Agent installer is sensitive about proxies.
  • Check for a SSL interception device like a Palo Alto or FireEye. This is related to certificate pinning and affects all agents.
  • Try a different server in the environment just to eliminate any local machine issues.
  • Make sure there are no leftover files under c:\program files (x86)\Okta\Okta RADIUS\ from a previous failed install.
  • Check Windows services.msc to make sure there isn’t a bad Okta RADIUS service leftover from a previous install (rare).
  • Try another version of the RADIUS Server Agent like like the newest EA version.

VPN device can’t reach RADIUS Server Agent

  • The RADIUS Server Agent is running but the RADIUS client device cannot reach it (note: different than failing logins)
  • Check the Okta RADIUS logs under C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs\ to see if any connections are being made. Any connection, even failed ones, should show up.
  • Double check the server name/server IP entered into the VPN device, just to make sure it was keyed in correctly.
  • Verify the status of the Windows firewall on the Okta RADIUS Server Agent server to make sure it is not blocking the connection.
  • Verify that the VPN device and the server can reach each other via ping or ask for a network admin to verify network connectivity.
  • Configure the RADIUS server using the IP address instead of the hostname. There are networks where DNS is limited and hostnames will not resolve.
  • Determine if network layer issues are preventing connection with network engineer (NTRADPing can be helpful here).

Correct credentials fail to authenticate

  • The RADIUS Server Agent is rejecting valid login attempts
  • Verify the user is assigned to the RADIUS App in Okta.
  • Verify the user is enrolled in MFA.
  • Verify the shared secret on both the Okta RADIUS Server Agent and on the VPN device. A mismatch will cause all authentications to fail.
  • Check the local RADIUS logs.
  • Also look for any errors that could indicate the API token expired.
  • If you see a malformed username in the logs, like the user sent “bob” but the log shows a “Á” this indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled.
  • Check the Okta syslog to see why the connection was rejected.
  • Check VPN device for any settings that could/would restrict login.

User not prompted for preferred factor

  • The server or client doesn’t support RADIUS challenge
  • OpenVPN server does support RADIUS challenge but the free client that is included with it does not support the method and fails.
  • Some versions of Cisco’s AnyConnect VPN client have issues with challenge. It is sporadic and upgrading to the latest version usually fixes it.
  • VMWare View prior to version 5.1 does not support RADIUS challenge.
  • This is not true two-factor auth unless it is paired with AD/LDAP auth! This may or may not be a concern.
  • For information on 2FA (to use only the second factor in MFA), see Using the Okta RADIUS App.

Changes to RADIUS agent config.properties not taking effect.

  • Changes have been made to RADIUS agent config.properties file, but these changes are not being reflected in the RADIUS Agent.
  • The RADIUS Agent must be restarted after making any changes to the config.properties file.
  • Changes made in the associated app in the Okta org do NOT require an agent restart.
    However, the agent may take a few minutes before it retrieves the updated configuration.
  • For more information about RADIUS Agent properties see the Additional Properties section in Install and configure the Okta RADIUS Server agent on Windows.