Tutorial: Integrate Okta with Access Server via RADIUS
RADIUS can be used to configure Access Server to authenticate against Okta. RADIUS supports MFA, which LDAP doesn't.
Overview
RADIUS can be used to configure Access Server to authenticate against Okta. RADIUS supports Multi-Factor Authentication (MFA), which is not supported by LDAP. That’s one of the benefits of a longer setup.
The following pieces will make up the RADIUS integration between Okta and Access Server:
Okta RADIUS app.
Okta RADIUS agent.
Access Server.
Okta directory.
Okta directory.
Installed Access Server.
You’ll need to add a RADIUS app to your Okta Admin Console. The RADIUS port and shared secret must pass through the Console to connect a RADIUS agent with the VPN.
Important
Okta RADIUS only supports PAP-based authentication, which Access Server supports.
From your Okta Admin Console, click on Applications > Applications.
Click on Add Application, then search for RADIUS.
From the search results, choose RADIUS App and click on Add.
After creating the app, you need to configure it starting with the Sign on tab:
Authentication: Leave this as default.
UDP Port: 1812.
Secret Key: Enter the secret key that will be used to encrypt and decrypt the user password. It will be identical to what is configured in Access Server.
Application username format: Select from the drop-down how the RADIUS client sends the username.
Password Reveal: Check if you want your users to see their password securely.
The final step is to add users to the app. All Users or Groups here will have access to Access Server's Client Web UI using their Okta credentials.
You can install the agent on a Windows Server or request the Linux agent from Okta, which is considered Early Access. The steps for the Windows Server are first followed by the Linux agent.
Install Okta RADIUS agent on a Windows server
From your Okta Administrator Dashboard, select Settings > Downloads, then scroll down to the Okta RADIUS Server Agent and click Download Latest.
Run the downloaded file to install the agent on your Windows Server.
Choose whether to define specifics or use a direct connection for the proxy information.
Enter your Okta org ID for the subdomain.
Sign on with Okta admin credentials.
Click the Allow Access button.
The RADIUS agent completes the installation.
Click Finish to complete the RADIUS agent installation on Windows Server.
Next, open your Windows Defender Firewall with Advanced Security and click on New Rule.
Select Port.
Select the UDP protocol, enter your port number, and click Next.
Select Allow the connection.
Set the Profile for your network needs, enter a name, and click Finish.
Install Okta RADIUS agent on Linux
Installing the Okta RADIUS agent on Linux requires contacting Okta Support. It’s considered an early access feature, so you’ll need to request that it be added to your downloads.
After Support has added the Linux agent for you, sign in to your Okta admin panel.
Click Settings > Downloads.
Select the link next to your Linux OS's Okta RADIUS Server Agent.
Upload the file to your Linux server.
Validate the download by entering the following command to generate the hash on your local machine. (Ensure you replace 'setup' with the file path to your downloaded file.)
sha512sum
Verify that the generated hash matches the hash in your Okta Admin Console on the Downloads page.
Install the agent using the appropriate command for your Linux OS. (Ensure you have root privileges.)
rpm -Uvh OktaRadiusSetupRPM-{version#}.rpm
apt install /${PATH_TO_FILE}/OktaRadiusAgentSetup-{version#}.deb
You'll be prompted to enter your base URL for Okta during installation. Example: https://yourbiz.okta.com.
After that, you’ll be prompted to authenticate with your Okta tenant. Copy the URL into a web browser.
In the browser, click Allow Access.
The Linux terminal will display a message that the installation is complete.
For more detailed information about the agent, refer to Okta’s Linux RADIUS agent documentation.
Now you’ll configure Access Server to use Okta for credentials via RADIUS.
Sign in to the Admin Web UI.
Click Authentication > RADIUS.
Enter your RADIUS authentication details. The four following details are required; the other fields are optional.
Table 1.RADIUS Setting
Details
Hostname or IP Address
Enter the hostname or IP address of your Okta RADIUS agent's server.
Shared Secret
Enter the shared secret from the Okta RADIUS app.
Authentication Port
Enter the port in the Okta RADIUS app (likely the default port, 1812).
Verify Message-Authenticator Attribute
Set to No.
Message-Authenticator not currently supported
At the time of publication, this RADIUS service doesn't currently return a Message-Authenticator as part of its response.
RADIUS Authentication Method
Set PAP to Yes.
Click Enable RADIUS Authentication under RADIUS Settings.
Access Server now uses Okta for authentication.
Your users can sign in to the Client Web UI using their Okta credentials. You can also include the MFA setup in the Okta admin panel.
The user goes to the Client Web UI in their browser, enters credentials, and clicks Sign In.
(Optional) The user may see an MFA prompt based on the Okta setup.
After successful authentication, the user can choose to download OpenVPN Connect or a connection profile.
MFA is not set up in Okta admin panel
If you encounter an error message, Access denied, or invalid creds, it may be that you haven’t completed the multifactor configuration in the security section of your Okta admin panel. Also, if you check the logging in your RADIUS app, you’ll see the error message, “User does not have a valid factor enrolled.”
This is because the RADIUS app has a requirement to use multifactor through a default sign-on rule:
To resolve the error, you can either set up Multifactor for users or create a new sign-on rule with a higher priority.
Set up Okta multifactor
In your Okta admin panel, go to Security > Multifactor.
Set up and configure the MFA factor of your choice.
Create a rule that doesn't require MFA to sign in
From your RADIUS application's Sign On tab, scroll to the bottom and click Add Rule.
Enter the new rule without the multifactor box checked and click Save.
Ensure your new rule is a higher priority than the default rule, and your users will no longer be prompted for additional authorization.
MFA causes user lockout in Access Server
If your user receives a ‘LOCKOUT’ error message when attempting to sign in, it may be due to the steps it takes to enroll in MFA through their Client Web UI. This is caused by Access Server's lockout policy. Refer to Authentication failure lockout policy for the default values and how to adjust settings. The steps below show you the error as received by the user.
If the user hasn't enrolled in MFA yet, when they first sign in, they will be prompted:
After entering their credentials, they receive the MFA prompt.
After enrolling, they are asked for a phone number.
Once entering their phone number, they must then enter the code sent to their phone.
They then receive a LOCKOUT message.
This happens because the challenges are seen as login attempts from Access Server. If you review your logs in the Admin Web UI, you'll see those.
If the user waits 15 minutes, they can sign in again. They will then only go through the credentials authentication step and one MFA step.