Configure properties
During this step we configure additional properties as required.
Changes to the RADIUS Agent config.properties are only loaded on agent restart.
Always restart your agent after changing config.properties.
- Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
- From this folder, navigate to current\user\config\radius\config.properties. Before making changes, we recommend creating a back up of this file. Using a text application such a Notepad, open the file current\user\config\radius\config.properties residing in the Okta RADIUS agent installation folder.
- Configure any of the properties shown below, as required.
- When done, save the file.
- Any changes are effective after restarting the Okta RADIUS Agent service using the available Windows administrative tools.
Property Description Default ragent.num_max_http_connection
The maximum number of HTTP connections in the connection pool. 20 ragent.num_request_threads
The number of authentication worker threads available for processing requests. 15 ragent.total.request.timeout.millisecond
The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.
For the Okta Verify with Push factor the actual value is interpreted by the RADIUS agent as one half (1/2) of the configured value.
For example: 60000 =60 seconds, divided in half =30 seconds.
For all other factors the value is used as specified.
60000 ragent.request.timeout.millisecond
The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.
If specified, ragent.total.request.timeout.millisecond is ignored.
If not specified, default is to useragent.total.request.timeout.millisecond
.
Available since version 2.9.4.N/A defaults to value specified by ragent.total.request.timeout.millisecond ragent.okta.request.max.timeout.millisecond
The socket timeout to set on the Okta API request. This property only applies if configured; otherwise, it is computed dynamically based on the total request timeout setting.
Dynamic, based on remaining TTL for request ragent.request.timeout.response.mode
The timeout response mode. Possible values include:
SEND_REJECT_ALWAYS
- agent sends a reject message to the client after any timeout..SEND_REJECT_ON_POLL_MFA
- agent sends a reject message to the client if a timeout occurs during the MFA polling loop only (i.e. while the agent is polling Okta to determine if the user has correctly responded to an MFA challenge such as a push notification). If a timeout occurs at any other time, no response will be sent to the client.NO_RESPONSE
- no response will be sent to the client when the agent times out.SEND_REJECT_ON_POLL_MFA
ragent.mfa.timeout.seconds
Time, in seconds, that the agent will wait for the client to respond to an MFA challenge such as factor selection. 60
When using the RADIUS agent with a VPN such as Cisco ASA VPN the following timeout values should be configured on both RADIUS Agent and VPN settings:
RADIUS agent v2.9.3 and earlier with out Okta Verify Push. ragent.total.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries
RADIUS agent v2.9.3 with Okta Verify Push. ragent.total.request.timeout.millisecond = 2 * (VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries)
RADIUS agent v 2.9.4 and later. ragent.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries Note:
- VPN retry count should be between 3-5.
- VPN request timeout should be 15-60s, (60-120s when using Okta Verify Push).
For example, where:
- VPN retry = 5x
- VPN request timeout = 60s
- VPN wait between retry = 5s
Then, VPN authentication timeout = 5 * (60 + 5) + 5 = 320s, or 320000ms
RADIUS agent v2.9.3 and earlier with Okta Verify Push: ragent.total.request.timeout.millisecond = 320000.RADIUS agent v 2.9.4 and later: ragent.request.timeout.millisecond =320000.
The following properties apply to proxy configuration only.
Property Description Default ragent.proxy.enabled
Indicates that the RADIUS agent should use a proxy. Must be set to true.
Example: ragent.proxy.enabled = true.Default: Not present must be added to config.properties. ragent.proxy.address
The IP address and port( if required) of the proxy. If ragent.proxy.enabled is set to true this property must exist.
Example:ragent.proxy.address = 127.0.0.1:8888
Default: Not present must be added to config.properties.
ragent.ssl.pinning If the proxy terminates the SSL connection, then SSL pinning must be disabled.
Example:ragent.ssl.pinning = false
Default: true. ragent.proxy.user
ragent.proxy.passwordProxy credentials, if required.
Encrypted on agent restart.ragent.proxy.user = admin
ragent.proxy.password = password
Default: Not present must be added to config.properties.