Install Okta RADIUS Server agent on Windows
The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multifactor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).
A RADIUS client sends the RADIUS agent the credentials (username and password) of a user that's requesting access to the client. Then, based on the org settings:
- If MFA is disabled and the user credentials are valid, the user is authenticated.
- If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (for example, Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.
Some applications or services (for example, AWS Workspace) don't provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (for example, Okta Verify and Yubikey), there's no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.
Supported Operating Systems
The Okta RADIUS agent can be installed on the following Windows Server versions:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Windows versions 2008, 2008 R2 and 2003 R2 are not supported.
Requirements and limitations
Upgrading to Version 2.2.0 and later and SSL Pinning
RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, providing an extra layer of security. SSL pinning is not enabled by default for current users upgrading to the new agent. If you're upgrading from an agent version earlier than v2.2.0, do the following after the upgrade.
The following steps should not be performed for agents on a network containing a web security appliance.
- Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\
- From this folder, navigate to current\user\config\radius\config.properties. Create back up copies of the config.properties and additional-config.properties files. Open current\user\config\radius\config.properties in a text editor.
- Append the following to the end of the file:
ragent.ssl.pinning = true
- Save the file.
- Restart the Okta RADIUS Agent service using the available Windows administrative tools.
This process restricts agent communication to only servers which can present valid certificates with public keys known to the new agents.
Typical workflow
|
Task |
Description |
|---|---|
| Download the RADIUS agent |
|
| Configure RADIUS apps |
To enable RADIUS authentication with Okta, you must install the Okta RADIUS server agent and configure one or more RADIUS applications in the Okta admin console. Admin console RADIUS applications allow Okta to distinguish between different RADIUS-enabled apps and support them concurrently. In addition, Okta RADIUS applications support policy creation and assignment of the application to groups.
For more information on configuring the RADIUS App see RADIUS applications in Okta. |
| Install the agent | Install the RADIUS Windows agent |
| Configure additional properties | Configure properties |
| Manage the agent | You can open the Okta RADIUS Agent Manager to make changes to the Shared Secret, RADIUS Port, and Proxy settings using . |
| Access and manage log files | Access and manage log files |
|
Troubleshoot |
Troubleshoot the Windows RADIUS agent |
| Uninstall the agent | Uninstall the Windows RADIUS agent |