Install Okta RADIUS Server agent on Windows

The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multifactor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).

A RADIUS client sends the RADIUS agent the credentials (username and password) of a user that's requesting access to the client. Then, based on the org settings:

  • If MFA is disabled and the user credentials are valid, the user is authenticated.
  • If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (for example, Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Some applications or services (for example, AWS Workspace) don't provide an MFA selection upon login, but instead ask for the MFA code in addition to the user's username and password. In the event that the user has enrolled in more than one MFA (for example, Okta Verify and Yubikey), there's no need for the user to specify which they are using – their entered code will be processed by each handler until it is validated successfully.

Supported Operating Systems

The Okta RADIUS agent can be installed on the following Windows Server versions:

  • Windows Server 2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Windows versions 2008, 2008 R2 and 2003 R2 are not supported.

Requirements and limitations

Upgrading to Version 2.2.0 and later and SSL Pinning

RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, providing an extra layer of security. SSL pinning is not enabled by default for current users upgrading to the new agent. If you're upgrading from an agent version earlier than v2.2.0, do the following after the upgrade.

The following steps should not be performed for agents on a network containing a web security appliance.

  1. Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\
  2. From this folder, navigate to current\user\config\radius\ Create back up copies of the and files. Open current\user\config\radius\ in a text editor.
  3. Append the following to the end of the file:

    ragent.ssl.pinning = true

  4. Save the file.
  5. Restart the Okta RADIUS Agent service using the available Windows administrative tools.

This process restricts agent communication to only servers which can present valid certificates with public keys known to the new agents.

Typical workflow



Download the RADIUS agent
  1. In the Admin Console, go to SettingsDownloads.
  2. Click Download Latest link next to the RADIUS installer that you want to download.
  3. Use one of the following commands to generate the hash on your local machine. Replace setup in the commands with the file path to your downloaded agent.
    • Linux: sha512sum setup.rpm
    • macOS: shasum -a 512 setup.rpm
    • Windows: CertUtil -hashfile setup.exe SHA512
  4. Verify that the generated hash matches the hash on the Downloads page.
Configure RADIUS apps To enable RADIUS authentication with Okta, you must install the Okta RADIUS server agent and configure one or more RADIUS applications in the Okta admin console. Admin console RADIUS applications allow Okta to distinguish between different RADIUS-enabled apps and support them concurrently. In addition, Okta RADIUS applications support policy creation and assignment of the application to groups.

For more information on configuring the RADIUS App see RADIUS applications in Okta.

Install the agent Install the RADIUS Windows agent
Configure additional properties Configure properties
Manage the agent You can open the Okta RADIUS Agent Manager to make changes to the Shared Secret, RADIUS Port, and Proxy settings using ProgramsOkta RADIUS Agent Manager.
Access and manage log files Access and manage log files


Troubleshoot the Windows RADIUS agent
Uninstall the agent Uninstall the Windows RADIUS agent