Install and configure the RADIUS agent in AWS

During this task we will configure the install and configure the RADIUS agent into an AWS instance.

Before you begin

  • Ensure that you have the common UDP port and secret key values available.
    Port 1899 is used throughout this integration.

Install the RADIUS Agent

The following steps should be completed on the AWS instance described as Instance B.

  • When you install the RADIUS server agent, use an account with the Super Admin role. Or use another role that has read-only admin and app admin permissions assigned to it.
  • Use a dedicated service account on your server to authorize RADIUS server agents. This ensures that authorizations aren't tied to a user account. These authorizations could be lost if the user leaves the organization.
  • Give appropriate admin permissions to service accounts used for RADIUS server agents. See the Multifactor Authentication section of Standard administrator roles and permissions.

  1. In the Admin Console, go to SettingsDownloads.
  2. Scroll to Okta RADIUS Server Agent (EXE) and then click Download Latest.
  3. Run the installer. Click Next on the initial Important Information and License Information pages.
  4. Choose a location for the Installation folder and then click Install.
  5. Optional. Enter your proxy information on the Okta RADIUS Agent Proxy Configuration page.
  6. Click Next.
  7. On the Register Okta RADIUS Agent page, enter the complete URL for your org, like https://mycompany.okta.com. For testing in your preview org, you can enter the URL for your Okta Preview Sandbox org, like https://mycompany.oktapreview.com.
  8. Click Next. The Okta Sign In page appears.
  9. Sign in to the service-specific Okta account.
  10. Click Allow Access.
  11. Click Finish.

    If you encounter Error code 12: Could not establish trust relationship for the SSL/TLS service channel, ensure that you're running the latest version of the agent. Older agent versions don't support Transport Layer Security (TLS) 1.2.

  12. Configure a RADIUS app in Okta. See RADIUS applications in Okta.

Additional Property Configurations

You can override the defaults on the following properties, if desired.

Changes to the RADIUS Agent config.properties file are only loaded on agent restart. Always restart your agent after changing config.properties.

  1. Open the folder where the Okta RADIUS agent resides. The default installation folder is C:\Program Files (x86)\Okta\Okta RADIUS Agent\.
  2. From this folder, navigate to current\user\config\radius\config.properties. Create a backup of this file and then open the original in a text editor.
  3. Configure any of the properties shown below, as required.
  4. When done, save the file.
  5. Changes are effective after restarting the Okta RADIUS Agent service using the available Windows administrative tools.
Property Description Default
ragent.num_max_http_connection The maximum number of HTTP connections in the connection pool. 20*
ragent.num_request_threads The number of authentication worker threads available for processing requests. 15*
ragent.total.request.timeout.millisecond The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.

For the Okta Verify with Push factor, the actual value is interpreted by the RADIUS agent as one half (1/2) of the configured value.

For example: 60000 = 60 seconds, divided in half = 30 seconds.

For all other factors the value is used as specified.

 60000
ragent.request.timeout.millisecond The maximum time the RADIUS agent is allowed to process a UDP packet after it has arrived from the RADIUS client.

If specified, ragent.total.request.timeout.millisecond is ignored.

If not specified, the default is to use ragent.total.request.timeout.millisecond.

Available since version 2.9.4.

 N/A defaults to value specified by ragent.total.request.timeout.millisecond
ragent.okta.request.max.timeout.millisecond The socket timeout to set on the Okta API request. This property only applies if configured; otherwise, it is computed dynamically based on the total request timeout setting. Dynamic, based on remaining TTL for request
ragent.request.timeout.response.mode The timeout response mode. Possible values include:
  • SEND_REJECT_ALWAYS: agent sends a reject message to the client after any timeout.
  • SEND_REJECT_ON_POLL_MFA: agent sends a reject message to the client if a timeout occurs during the MFA polling loop only (that is, while the agent is polling Okta to determine if the user has correctly responded to an MFA challenge such as a push notification). If a timeout occurs at any other time, no response will be sent to the client.
  • NO_RESPONSE: no response will be sent to the client when the agent times out.
 SEND_REJECT_ON_POLL_MFA
ragent.mfa.timeout.seconds Time, in seconds, that the agent will wait for the client to respond to an MFA challenge such as factor selection. 60

* If "Request queue is full" appears in your logs, the RADIUS Server Agent is rejecting login attempts due to reaching the maximum number of threads and connections that it can process. See The request queue is full.

When using the RADIUS agent with a VPN, such as Cisco ASA VPN, the following timeout values should be configured on both RADIUS Agent and VPN settings:

RADIUS agent v2.9.3 and earlier without Okta Verify Push.ragent.total.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries
RADIUS agent v2.9.3 with Okta Verify Push.ragent.total.request.timeout.millisecond = 2 * (VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries)
RADIUS agent v 2.9.4 and later.ragent.request.timeout.millisecond = VPN retry count * (VPN timeout + VPN wait between retries) - VPN wait between retries

Note:

  • VPN retry count should be between 3-5.
  • VPN request timeout should be 15-60s, (60-120s when using Okta Verify Push).

For example, where:

  • VPN retry = 5x
  • VPN request timeout = 60s
  • VPN wait between retry = 5s

Then, VPN authentication timeout = 5 * (60 + 5) - 5 = 320s, or 320000ms

RADIUS agent v2.9.3 and earlier with Okta Verify Push: ragent.total.request.timeout.millisecond = 320000.

RADIUS agent v 2.9.4 and later: ragent.request.timeout.millisecond = 320000.

The following properties apply to proxy configuration only:

Property Description Default
ragent.proxy.enabled Indicates whether the RADIUS agent should use a proxy. Set to true. For example,

ragent.proxy.enabled = true

 Not present. Add this property to config.properties.
ragent.proxy.address The IP address (and port, if required), of the proxy. This property must exist when ragent.proxy.enabled is true. For example,

ragent.proxy.address = 127.0.0.1:8888

Not present. Add this property to config.properties.
ragent.ssl.pinning If the proxy terminates the SSL connection, disable SSL pinning. For example,

ragent.ssl.pinning = false

 true
ragent.proxy.user

ragent.proxy.password

Proxy credentials, if required. Encrypted on agent restart. For example,

ragent.proxy.user = adminragent.proxy.password = password

 Not present. Add this property to config.properties.


For a complete list of all steps as well as detained steps for installing the Okta RADIUS agent see: