RADIUS and MFA known issues and limitations

This document describes the limitations when you upgrade RADIUS or MFA agents from Classic Engine to Identity Engine.

MFA for Active Directory Federation Services

Identity Engine doesn't support MFA for Active Directory Federation Services (ADFS).

Personal Identity Verification

Identity Engine doesn't support Personal Identity Verification (PIV).

Question authenticator with MFA for ADFS

If orgs that use MFA for ADFS in Classic Engine upgrade to Identity Engine and then configure the Security Question authenticator, it doesn't appear during authentication flows.

Permissions error

The Okta On-Prem MFA agent supports both On-Prem MFA and RSA SecurID. Org admins who switch between these receive a permissions error. To avoid the error, perform the same action as a super admin.

Unsupported operation error

The Okta On-Prem MFA agent supports both On-Prem MFA and RSA SecurID. When you switch between these, an unsupported operation error can occur. Avoid this error by first disabling the current authenticator and then enabling the replacement.

When swapping an On-Prem MFA or RSASecurID authenticator, Okta prompts you to disable the existing authenticator.

Configure replacement authenticator

  1. In a browser, go to your Okta org and sign in as an administrator.
  2. Click Security > Authenticators.
  3. From the Add Authenticator dialog, select either RSA SecurID or On-Prem MFA.

Configure On-Prem MFA replacement

  1. Enter the following fields:
    • Provider name: This is the name that appears to end users during their login challenge.
    • Username format: Select the format expected by the provider.
    • Hostname: The host name of the server or IP address.
    • Authentication Port: The RADIUS server port (for example, 1812) defined during the On-Prem RADIUS server configuration.
    • Shared Secret: An authentication key, defined during the RADIUS server configuration. It must be the same on both the RADIUS client and server.
  2. Click Add.
  3. Click Add New Agent. Note the value of the instance ID.
  4. Activate or Deactivate the authenticator as required.
  5. Click Save.

Configure RSA SecurID replacement

  1. Enter the following fields:
    • Username format: Select the format expected by the provider.
    • Hostname: The server host name or IP address.
    • Authentication Port: The RADIUS server port (for example, 1812). This is defined when the On-Prem RADIUS server is configured.
    • Shared Secret: An authentication key that must be defined when the RADIUS server is configured, and must be the same on both the RADIUS client and server.
  2. Click Add New Agent. Note the value of the instance ID. You're also provided a download link for the agent installer.
  3. Activate or Deactivate as required.
  4. Click Save.