Install the agent

The On-Prem MFA Agent (v 1.3.3 or later) supports proxy configuration with your RADIUS enabled on-prem MFA server, including RSA Authentication manager for RSA SecurIDs.

Installs that don't require proxy support can ignore the steps marked (Proxy only).

Before you begin

  • Ensure that you have the common UDP port and secret key values available and that the Okta RADIUS agent port 1812 is open.

Install the agent

Determine instance ID

The On-Prem MFA Agent installer requires an instance identifier.

  1. In a browser, Navigate to your Okta Org and Login as an Administrator.
  2. Select SecurityAuthenticators.
  3. For either of On-Prem MFA or RSA SecurID authenticators used in the Add and configure On-Prem MFA/RSA SecurID, select ActionsEdit.
  4. Click Add new Agent.
  5. Copy the provided instance ID.

Run the installer

  1. Go to the directory where you saved the On-Prem MFA Agent installer. Run the installer as administrator.
  2. Click Next.
  3. Click Next on the "Important Information" and "License Information" pages.
  4. Accept the default installation folder or browse to a different folder and then click Install.

    (Proxy-only): Note the installation path, you need it to enable proxies in later steps.

  5. Enter your Instance ID on the Okta On-Prem Agent Configuration page. You can find this value in the app's Settings page in your Okta org.
  6. In the Register Okta On-Prem MFA Agent dialog enter the fully qualified URL for your org, for example, Click Next.
  7. (Proxy - only) Modify settings to include a proxy.
    1. Leave the Okta Sign In page without signing in and open a File Explorer window.
    2. Locate your file (for example, <AGENT_INSTALL_PATH>\current\user\config\rsa-securid\
    3. Open the file in a text editor.
    4. Add proxy configuration key/value pairs to the end of the file. A proxy includes the following key/value pairs:
      proxyAddress = http://<ipaddress:[port]>
      proxyUsername = <username>
      proxyPassword = <password of proxyUsername>
    5. Save the file.
    6. Return to the installer.

    For example, the entry for a proxy using the http protocol that runs on port 3128 of the host at is:

    If all the properties occur on a single line, add proxy settings beneath it.

  1. (Optional) Extend client session timeout. Contact your account representative to change this setting.

    The default value of 3000 ms is sufficient in most cases, but it may need to be increased in situations where push is being used.

    1. Open the file in an editor.

    2. Edit the radiusSocketTimeoutMs field to a value between 1 - 30000 ms. If the parameter is missing, add it at the bottom of the file.

  2. On the Sign In screen sign in to Okta.

    When signing in, you must use an account that has one of Super admin, App admin, or API Access Management admin. See OpenID Connect end-to-end scenario.

  3. Click the Allow Access button.
  4. Bring the installer to the front to view completion of the install.
  5. The Installation Completed screen appears. If not, see Troubleshooting below.
  6. Click the Finish button to complete the installation.

    Restart Windows to complete the installation. Select Yes, restart Windows now (recommended) and then click Finish to immediately restart Windows.

Specify proxies for existing MFA agent

  1. Go to your existing installation folder.
  2. Edit C:\Program Files (x86)\....\Okta On-Prem MFA Agent\current\user\config\rsa-securid\
  3. Add your proxy configurations to the bottom of this file. Example keys are proxyAddress, proxyUsername, or proxyPassword.

The following is a simple configuration for a proxy using the http protocol, with a host of and a port of 3128:

Note: If all the properties occur on a single line, simply add your proxy settings beneath it.

  1. Save this file and run the installer for MFA-Agent.
  2. When the installation completes, a message appears stating it successfully completed. If not, see the Troubleshooting section.


New installation

If you encountered an error when installing, try to confirm your proxy settings. You can also retry the installation using sslPinningEnabled = false, but you should only use this option if you're confident in how this works.

Upgrade (Proxy only)

If you entered proxy properties that are inaccurate, the installer may appear to succeed, but the agent will eventually fail. To verify these properties, examine the last connected timestamp on your list of agents in the Okta Administrator Dashboard.