RADIUS common concerns
Troubleshooting Common RADIUS Issues
- RADIUS Server Agent will not install
- VPN device can’t reach RADIUS Server Agent
- Correct credentials fail to authenticate
- User not prompted for preferred factor
- Changes to RADIUS agent config.properties not taking effect.
- Ensure you are installing on one of the supported Windows or Linux versions for Okta RADIUS.
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Red Hat Enterprise Linux release 8.0, 8.3
- CentOS 7.6
- Ubuntu 18.04.4, 20.04.1 LTS
- Use the full Okta URL under “Custom” instead of just subdomain under “Production” in the installer.
- Check for the presence of a proxy server, the RADIUS Server Agent installer is sensitive about proxies.
- Check for a SSL interception device like a Palo Alto or FireEye. This is related to certificate pinning and affects all agents.
- Try a different server in the environment just to eliminate any local machine issues.
- Make sure there are no leftover files under c:\program files (x86)\Okta\Okta RADIUS\ from a previous failed install.
- Check Windows services.msc to make sure there isn’t a bad Okta RADIUS service leftover from a previous install (rare).
- Try another version of the RADIUS Server Agent like like the newest EA version.
The Okta RADIUS agent can be installed on the following Windows Server versions:
Windows versions 2008, 2008 R2 and 2003 R2 are not supported.
The Okta RADIUS agent has been tested on the following Linux versions:
- The RADIUS Server Agent is running but the RADIUS client device cannot reach it (note: different than failing logins)
- Check the Okta RADIUS logs under C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs\ to see if any connections are being made. Any connection, even failed ones, should show up.
- Double check the server name/server IP entered into the VPN device, just to make sure it was keyed in correctly.
- Verify the status of the Windows firewall on the Okta RADIUS Server Agent server to make sure it is not blocking the connection.
- Verify that the VPN device and the server can reach each other via ping or ask for a network admin to verify network connectivity.
- Configure the RADIUS server using the IP address instead of the hostname. There are networks where DNS is limited and hostnames will not resolve.
- Determine if network layer issues are preventing connection with network engineer (NTRADPing can be helpful here).
- The RADIUS Server Agent is rejecting valid login attempts
- Verify the user is assigned to the RADIUS App in Okta.
- Verify the user is enrolled in MFA.
- Verify the shared secret on both the Okta RADIUS Server Agent and on the VPN device. A mismatch will cause all authentications to fail.
- Check the local RADIUS logs.
- Also look for any errors that could indicate the API token expired.
- If you see a malformed username in the logs, like the user sent “bob” but the log shows a “Á” this indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled.
- Check the Okta syslog to see why the connection was rejected.
- Check VPN device for any settings that could/would restrict login.
- The server or client doesn’t support RADIUS challenge
- OpenVPN server does support RADIUS challenge but the free client that is included with it does not support the method and fails.
- Some versions of Cisco’s AnyConnect VPN client have issues with challenge. It is sporadic and upgrading to the latest version usually fixes it.
- VMWare View prior to version 5.1 does not support RADIUS challenge.
- This is not true two-factor auth unless it is paired with AD/LDAP auth! This may or may not be a concern.
- For information on 2FA (to use only the second factor in MFA), see Using the Okta RADIUS App.
- Changes have been made to RADIUS agent config.properties file, but these changes are not being reflected in the RADIUS Agent.
- The RADIUS Agent must be restarted after making any changes to the config.properties file.
- Changes made in the associated app in the Okta org do NOT require an agent restart.
However, the agent may take a few minutes before it retrieves the updated configuration.
- For more information about RADIUS Agent properties see the Additional Properties section in Install and configure the Okta RADIUS Server agent on Windows.