Install the Agent

During this task we will install the On-Prem MFA agent.

The On-Prem MFA agent (v 1.3.3 or later) supports proxy configuration with your RADIUS enabled on-prem MFA server, including RSA Authentication manager for RSA SecurIDs.

Installs not requiring proxy support can ignore the steps marked [proxy-only].


Before you begin

  • Ensure that you have the common UDP port and secret key values available and that the Okta RADIUS agent port 1812 is open.

Install the agent

Determine instance ID

The On-Prem MFA agent installer requires an instance identifier.

  1. In a browser, Navigate to your Okta Org and Login as an Administrator.
  2. Select Security > Authenticators.
  3. For either of On-Prem MFA or RSA SecurID authenticators used in the Add and configure On-Prem MFA/RSA SecurID, select Actions > Edit.
  4. Click Add new Agent.
  5. Copy the provided instance ID.

Execute the installer

  1. Navigate to the directory where the On-Prem MFA agent installer was downloaded and execute the installer as administrator.
  2. On the initial screen click Next.
  3. Click Next through the "Important Information" and "License Information" screens.
  4. Accept the default installation folder or browse to a different folder and then click Install.
    The install will begin.
    Proxy-only: Take note of the installation path, which will be used to enable proxies later in this install.
  5. On the Okta On-Prem Agent Configuration screen, enter your Instance ID.
    Instance ID can be found in the in the apps Settings page in your Okta org.
    See The Custom Option in Enabling the Agent .
  6. In the Register Okta On-Prem MFA Agent dialog enter the fully qualified URL for your org, for example, Click Next.
  7. Proxy - only - Modify settings to include a proxy.
    1. Leave the Okta Sign In page without signing in and open a File Explorer window.
    2. From File Explorer, locate and navigate to your file '
      For example: <AGENT_INSTALL_PATH>\current\user\config\rsa-securid\
    3. Open the file in a text editor.
    4. At the bottom of the file add proxy configuration key/value pairs. Proxy includes the following key/value pairs:
      proxyAddress = <ipaddress:[port]>

      proxyUsername = <username>

      proxyPassword = <password of proxyUsername>
    5. Save the file.
    6. Return to the installer.

    Example configuration for a proxy with protocol: http, host:, and port: 3128.

Note: If all the properties occur on a single line, add proxy settings beneath it.

  1. On the Sign In screen sign in to Okta.

    When signing in, you must use an account which has one of Super admin, App admin or API Access Management admin. See OpenID Connect end-to-end scenario.

  2. Click the Allow Access button.
  3. Bring the installer to the front to view completion of the install.
  4. The Installation Completed screen appears. If not, see Troubleshooting below.
  5. Click the Finish button to complete the installation.

    To complete the installation, Windows must be restarted. Select Yes, restart Windows now (recommended) and then click Finish to restart Windows immediately.

Specifying proxies for existing MFA agent

  1. From your File Explorer navigate to your existing installation folder.
  2. Edit C:\Program Files (x86)\....\Okta On-Prem MFA Agent\ current\user\config\rsa-securid\
  3. Add your proxy configurations to the bottom of this file. Example keys are proxyAddress, proxyUsername, or proxyPassword.

The following is a simple configuration for a proxy using the http protocol, with a host of and a port of 3128.

Note: If all the properties occur on a single line, simply add your proxy settings beneath it.

  1. Save this file and run the installer for MFA-Agent.
  2. When the installation completes, an installation completed message appears. If not, see Troubleshooting below.


If your installation was not successful:

New installation

Confirm your proxy settings OR

Retry using sslPinningEnabled = false (Warning: only use this option if you're confident in how this works).

Upgrade - proxy only

If you enter proxy properties that are inaccurate, the installer may appear to succeed, but the agent will eventually fail. To verify these properties, examine the last connected timestamp on your list of agents in the Okta Administrator Dashboard.