RADIUS common issues and concerns

RADIUS Server agent won't install

Solutions include:

  • Ensure you're installing on one of the supported Windows or Linux versions for Okta RADIUS.
  • The Okta RADIUS agent can be installed on the following Windows Server versions:

    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
    • Windows Server 2022

    Windows versions 2008, 2008 R2 and 2003 R2 are not supported.

    The Okta RADIUS agent has been tested on the following Linux versions:

    • Red Hat Enterprise Linux release 8.0, 8.3
    • CentOS 7.6
    • Ubuntu 18.04.4, 20.04.1 LTS
  • Use the full Okta URL under “Custom” instead of just subdomain under “Production” in the installer.
  • Check for the presence of a proxy server, the RADIUS Server Agent installer is sensitive about proxies.
  • Check for an SSL interception device like a Palo Alto or FireEye. This is related to certificate pinning and affects all agents.
  • Try a different server in the environment just to eliminate any local machine issues.
  • Make sure that there are no leftover files under c:\program files (x86)\Okta\Okta RADIUS\ from a previous failed install.
  • Check Windows services.msc to make sure there isn’t a bad Okta RADIUS service leftover from a previous install (rare).
  • Try another version of the RADIUS Server Agent like the newest EA version.

VPN device can’t reach RADIUS Server Agent

The RADIUS Server Agent is running but the RADIUS client device can't reach it. (This is different than failed sign-in attempts.)

  • Check the Okta RADIUS logs under C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs\ to see if any connections are being made. Any connection, even failed ones, should show up.
  • Double check the server name/server IP entered into the VPN device, just to make sure it was keyed in correctly.
  • Verify the status of the Windows firewall on the Okta RADIUS Server Agent server to make sure it isn't blocking the connection.
  • Verify that the VPN device and the server can reach each other through ping or ask for a network admin to verify network connectivity.
  • Configure the RADIUS server using the IP address instead of the hostname. There are networks where DNS is limited and hostnames won't resolve.
  • Determine if network layer issues are preventing connection with network engineer (NTRADPing can be helpful here).

Correct credentials fail to authenticate

Possible solutions:

  • The RADIUS Server Agent is rejecting valid login attempts
  • Verify the user is assigned to the RADIUS App in Okta.
  • Verify that the user is enrolled in MFA.
  • Verify the shared secret on both the Okta RADIUS Server Agent and on the VPN device. A mismatch causes all authentications to fail.
  • Check the local RADIUS logs.
  • Also look for any errors that could indicate that the API token expired.
  • If you see a malformed username in the logs, it indicates that the server is using MSCHAPv2 to encode the username. Check the VPN device configuration to make sure only PAP authentication is enabled.
  • Check the Okta System Log to see why the connection was rejected.
  • Check VPN device for any settings that could/would restrict login.

User not prompted for preferred factor

Possible solutions:

  • The server or client doesn’t support RADIUS challenge.
  • OpenVPN server does support a RADIUS challenge but the free client that is included with it doesn't support the method and fails.
  • Some versions of Cisco’s AnyConnect VPN client have issues with challenge. It's sporadic and upgrading to the latest version usually fixes it.
  • VMWare View before version 5.1 doesn't support a RADIUS challenge.
  • This isn't true two-factor authentication unless it's paired with AD/LDAP authentication. This may or may not be a concern.
  • For information on 2FA (to use only the second factor in MFA), see Using the Okta RADIUS App.

Changes to RADIUS agent config.properties not taking effect

Possible solutions:

  • Changes have been made to the RADIUS agent config.properties file, but these changes aren't being reflected in the RADIUS Agent.
  • The RADIUS Agent must be restarted after making any changes to the config.properties file.
  • Changes made in the associated app in the Okta org do NOT require an agent restart. However, the agent may take a few minutes before it retrieves the updated configuration.
  • For more information about RADIUS Agent properties see the additional Properties section in Install Okta RADIUS Server agent on Windows.

Request queue is full

This message appears in your logs when the RADIUS Server Agent rejects sign-in attempts because it's reached the maximum number of request threads and connections that it can process.

Possible solution:

  • Update the maximum number of request threads and connections in config.properties. The recommended maximum values are:
    • ragent.num_request_threads=60

    • ragent.num_max_http_connection=80

For more information, see Configure properties, Configure properties, and RADIUS throughput and scaling benchmarks.