Configure properties

During this step we configure additional properties as required.

Changes to the RADIUS Agent config.properties are only loaded on agent restart.
Always restart your agent after changing config.properties.

Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.
Configure any of the properties shown below, as required.
When done, save the file.
Any changes are effective after restarting the Okta RADIUS Agent service using the available Windows administrative tools.

Property Description Default

ragent.num_max_http_connection The maximum number of HTTP connections in the connection pool. 20

ragent.num_request_threads The number of authentication worker threads available for processing requests. 15

ragent.total.request.timeout.millisecond
The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.

For the Okta Verify with Push factor the actual value is interpreted by the RADIUS agent as one half (1/2) of the configured value.
For example: 60000 =60 seconds, divided in half =30 seconds.

For all other factors the value is used as specified.

60000

ragent.request.timeout.millisecond The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.

If specified, ragent.total.request.timeout.millisecond is ignored.
If not specified, default is to use ragent.total.request.timeout.millisecond.

Available since version 2.9.4. N/A defaults to value specified by ragent.total.request.timeout.millisecond

ragent.okta.request.max.timeout.millisecond
The socket timeout to set on the Okta API request. This property only applies if configured; otherwise, it is computed dynamically based on the total request timeout setting.
Dynamic, based on remaining TTL for request

ragent.request.timeout.response.mode
The timeout response mode. Possible values include:

SEND_REJECT_ALWAYS - agent sends a reject message to the client after any timeout..

SEND_REJECT_ON_POLL_MFA- agent sends a reject message to the client if a timeout occurs during the MFA polling loop only (i.e. while the agent is polling Okta to determine if the user has correctly responded to an MFA challenge such as a push notification). If a timeout occurs at any other time, no response will be sent to the client.

NO_RESPONSE - no response will be sent to the client when the agent times out.

SEND_REJECT_ON_POLL_MFA

ragent.mfa.timeout.seconds Time, in seconds, that the agent will wait for the client to respond to an MFA challenge such as factor selection. 60

When using the RADIUS agent with a VPN such as Cisco ASA VPN the following timeout values should be configured on both RADIUS Agent and VPN settings:

RADIUS agent v2.9.3 and earlier with out Okta Verify Push. ragent.total.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries

RADIUS agent v2.9.3 with Okta Verify Push. ragent.total.request.timeout.millisecond = 2 * (VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries)

RADIUS agent v 2.9.4 and later. ragent.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries

Note:

VPN retry count should be between 3-5.

VPN request timeout should be 15-60s, (60-120s when using Okta Verify Push).

For example, where:

VPN retry = 5x

VPN request timeout = 60s

VPN wait between retry = 5s

Then, VPN authentication timeout = 5 * (60 + 5) + 5 = 320s, or 320000ms
RADIUS agent v2.9.3 and earlier with Okta Verify Push: ragent.total.request.timeout.millisecond = 320000.

RADIUS agent v 2.9.4 and later: ragent.request.timeout.millisecond =320000.

The following properties apply to proxy configuration only.

Property Description Default

ragent.proxy.enabled Indicates that the RADIUS agent should use a proxy. Must be set to true.
Example: ragent.proxy.enabled = true. Default: Not present must be added to config.properties.

ragent.proxy.address The IP address and port( if required) of the proxy. If ragent.proxy.enabled is set to true this property must exist.
Example: ragent.proxy.address = 127.0.0.1:8888
Default: Not present must be added to config.properties.

ragent.ssl.pinning If the proxy terminates the SSL connection, then SSL pinning must be disabled.
Example:
ragent.ssl.pinning = false Default: true.

ragent.proxy.user ragent.proxy.password Proxy credentials, if required.
Encrypted on agent restart.
ragent.proxy.user = admin
ragent.proxy.password = password Default: Not present must be added to config.properties.

Property	Description	Default
`ragent.num_max_http_connection`	The maximum number of HTTP connections in the connection pool.	20
`ragent.num_request_threads`	The number of authentication worker threads available for processing requests.	15
`ragent.total.request.timeout.millisecond`	The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client. For the Okta Verify with Push factor the actual value is interpreted by the RADIUS agent as one half (1/2) of the configured value. For example: 60000 =60 seconds, divided in half =30 seconds. For all other factors the value is used as specified.	60000
`ragent.request.timeout.millisecond`	The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client. If specified, ragent.total.request.timeout.millisecond is ignored. If not specified, default is to use `ragent.total.request.timeout.millisecond`. Available since version 2.9.4.	N/A defaults to value specified by ragent.total.request.timeout.millisecond
`ragent.okta.request.max.timeout.millisecond`	The socket timeout to set on the Okta API request. This property only applies if configured; otherwise, it is computed dynamically based on the total request timeout setting.	Dynamic, based on remaining TTL for request
`ragent.request.timeout.response.mode`	The timeout response mode. Possible values include: `SEND_REJECT_ALWAYS` - agent sends a reject message to the client after any timeout.. `SEND_REJECT_ON_POLL_MFA`- agent sends a reject message to the client if a timeout occurs during the MFA polling loop only (i.e. while the agent is polling Okta to determine if the user has correctly responded to an MFA challenge such as a push notification). If a timeout occurs at any other time, no response will be sent to the client. `NO_RESPONSE` - no response will be sent to the client when the agent times out.	`SEND_REJECT_ON_POLL_MFA`
`ragent.mfa.timeout.seconds`	Time, in seconds, that the agent will wait for the client to respond to an MFA challenge such as factor selection.	60

Property	Description	Default
`ragent.proxy.enabled`	Indicates that the RADIUS agent should use a proxy. Must be set to true. Example: ragent.proxy.enabled = true.	Default: Not present must be added to config.properties.
`ragent.proxy.address`	The IP address and port( if required) of the proxy. If ragent.proxy.enabled is set to true this property must exist. Example: `ragent.proxy.address = 127.0.0.1:8888`	Default: Not present must be added to config.properties.
ragent.ssl.pinning	If the proxy terminates the SSL connection, then SSL pinning must be disabled. Example: `ragent.ssl.pinning = false`	Default: true.
`ragent.proxy.user ragent.proxy.password`	Proxy credentials, if required. Encrypted on agent restart. `ragent.proxy.user = admin` `ragent.proxy.password = password`	Default: Not present must be added to config.properties.

Next steps

Manage the Windows agent

RADIUS agent v2.9.3 and earlier with out Okta Verify Push.	ragent.total.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries
RADIUS agent v2.9.3 with Okta Verify Push.	ragent.total.request.timeout.millisecond = 2 * (VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries)
RADIUS agent v 2.9.4 and later.	ragent.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries