Install Okta RADIUS server agent on Windows
The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multifactor authentication (MFA). It installs as a Windows service and supports the Password Authentication Protocol (PAP).
A RADIUS client sends the credentials of a user who's requesting access to the client to the RADIUS agent. Authentication requests are processed based on the org settings:
- If MFA is disabled and the user credentials are valid, the user is authenticated.
- If MFA is enabled and the user credentials are valid, the user is prompted to select a second authenticator. The user selects one and obtains a request for a validation code. If the code is correct, the user gains access.
Some applications or services, like AWS Workspace, don't provide an MFA selection when signing in. Instead, they ask for the MFA code in addition to the user's username and password. If the user has enrolled in more than one authenticator, there's no need for the user to specify which authenticator they're using. Each handler processes their code until it's validated.
Prerequisites
Operating systems
You can install the Okta RADIUS server agent on the following Windows Server versions:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Windows versions 2008, 2008 R2 and 2003 R2 aren't supported.
Browser
The Okta RADIUS server agent uses Microsoft Edge as the default built-in browser.
Use SSL pinning
RADIUS agent versions 2.2.0 and later are enabled with SSL pinning, which provides an extra layer of security. SSL pinning isn't enabled by default in earlier versions.
If you upgrade from an agent version earlier than version 2.2.0, do the following procedure after the upgrade. This process restricts agent communication only to servers that can present valid certificates with public keys known to the new agents.
Don't do this procedure for agents on a network that has a web security appliance on it.
- Open the folder where the Okta RADIUS server agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
- Open the current\user\config\radius\ folder and create backup copies of the config.properties and additional-config.properties files.
- Open the current\user\config\radius\config.properties file in a text editor.
- Append the following line to the end of the file:
ragent.ssl.pinning = true
- Save the file.
- Restart the Okta RADIUS server agent service using the Windows administrative tools.
Typical workflow
Task |
Description |
---|---|
Download the Okta RADIUS server agent |
|
Enable RADIUS authentication with Okta | Install the Okta RADIUS server agent and configure RADIUS apps in the Admin Console. These apps allow Okta to distinguish between different RADIUS-enabled apps and then support them concurrently. Okta RADIUS apps also let you create policies and assign apps to groups. |
Install the agent | Install the RADIUS Windows agent |
Configure additional properties | Configure properties |
Manage the agent | Open the Okta RADIUS Agent Manager to change the Shared Secret, RADIUS Port, and Proxy settings using the menu. |
Access and manage log files | Access and manage log files |
Troubleshoot |
Troubleshoot the Windows RADIUS agent |
Uninstall the agent | Uninstall the Windows RADIUS agent |