Configure Cisco Meraki to interoperate with Okta using RADIUS

This guide details how to configure Cisco Meraki wireless access points to use the Okta RADIUS Server Agent and EAP-TTLS.

For details of the flow between Okta, the RADIUS agent and Cisco Meraki see Cisco Meraki RADIUS integration flow.

Contact Okta Support to have EAP-TTLS support enabled for your Okta org.


Before you begin

Before installing the Okta RADIUS Agent ensure that you have met these minimum requirements for network connectivity:

Source Destination Port/Protocol Description
Okta RADIUS Agent Okta Identity Cloud TCP/443
Configuration and authentication traffic
Client Gateway Okta RADIUS Agent UDP/1812 RADIUS (Default, may be changed in RADIUS app install and configuration) RADIUS traffic between the gateway (client) and the RADIUS Agent (server)


Only a single Okta Verify device should be enrolled. Enrolling second and subsequent Okta Verify devices may cause undefined or unexpected behavior.

On using MFA with Cisco Meraki
Okta doesn't recommend using MFA with EAP-TTLS and it has been disabled by default in the Cisco Meraki RADIUS app policy.
While technically possible, MFA with EAP-TTLS may not work correctly due to:

  • Timeout and retry configurations on the router and supplicants which cause several push requests to be sent unless the end-user accepts the first push notification quickly.
  • Roaming between access points within a zone works with static passwords works as expected, but will result in MFA re-prompts unless Pairwise Master Key caching and Opportunistic Key caching are correctly configured to prevent RADIUS re-authentication.

Typical workflow



Download the RADIUS agent
Install the Okta RADIUS Agent.
  • Install either the Windows or Linux RADIUS agents as appropriate for your environment.
Configure application
Configure optional settings
Configure gateway
Configure devices

Related topics