Integrate Okta with OpenVPN Access Server via RADIUS

Upgrade to Latest Version

Introduction

Configuring OpenVPN Access Server to authenticate against Okta can be done with RADIUS. Using RADIUS, it supports Multi-Factor Authentication (MFA), which is not supported by LDAP. That’s one of the benefits of a lengthier setup.

The following pieces will make up the RADIUS integration between Okta and OpenVPN Access Server:

  • Okta RADIUS app
  • Okta RADIUS agent
  • OpenVPN Access Server
  • Okta directory

Add Generic RADIUS application in Okta

To start, you’ll need to add a RADIUS app on your Okta Admin Console. This is because the RADIUS port and shared secret must go through the Console to connect a RADIUS agent with the VPN.

NOTE: Okta RADIUS only supports PAP-based authentication, which is supported by OpenVPN Access Server.

  1. From your Okta Admin Console, click on Applications > Applications.
  2. Click on Add Application, then search for RADIUS.
  3. From the search results, choose RADIUS App and click on Add.
  4. After creating the app, you need to configure it starting with the Sign on tab:
  1. Authentication: Leave this as default.
  2. UDP Port: 1812
  3. Secret Key: Enter the secret key that will be used to encrypt and decrypt the user password. It will be identical to what is configured on the OpenVPN Access Server.
  4. Application username format: Select from the drop-down how the RADIUS client sends the username.
  5. Password Reveal: Check if you want your users to securely see their password.
  6. The final step is to add users to the app. All Users or Groups here will have access to OpenVPN Access Server’s Client UI using their Okta credentials.

Install the Okta RADIUS Agent

You can install the agent on a Windows Server or request the Linux agent from Okta, which is considered Early Access. The steps for the Windows Server are first, followed by the Linux agent after that.

Install Okta RADIUS Agent on Windows Server

  1. From your Okta Administrator Dashboard, select Settings > Downloads, then scroll down to the Okta RADIUS Server Agent and click Download Latest
  2. Run the downloaded file to install the agent on your Windows Server
  3. For the proxy information, choose whether to define specifics or use a direct connection
  4. Enter your Okta org ID for the subdomain
  5. Sign on with Okta admin credentials
  6. Click the Allow Access button
  7. The RADIUS agent completes installation
  8. Click Finish to complete the RADIUS agent installation on Windows Server
  9. Next, open your Windows Defender Firewall with Advanced Security and click on New Rule
  10. Select Port
  11. Select the UDP protocol and enter the port number you’re using
  12. Select Allow the connection
  13. Set Profile for your network needs, then enter a name such as Okta RADIUS and click Finish.

Install Okta RADIUS Agent on Linux

Installing Okta RADIUS agent on Linux requires contacting Okta Support. It’s considered an early access feature. You’ll need to request to have it added to your downloads.

  1. After Support has added the Linux agent for you, in your Okta admin panel, click on Settings > Downloads. Select the link next to the Okta RADIUS Server Agent for your Linux OS.
  2. Upload the file to your Linux server. Then validate the download by entering the following command to generate the hash on your local machine. Note: replace ‘setup’ with the file path to your downloaded file. 
    sha512sum
  3. Verify that the generated hash matches the hash in your Okta Admin Console on the Downloads page.
  4. These next steps should be done with root privileges. Install the agent using either rpm or apt (for DEB). 
    rpm -Uvh OktaRadiusSetupRPM-{version#}.rpm
    apt install /${PATH_TO_FILE}/OktaRadiusAgentSetup-{version#}.deb
  5. During installation, you’ll be prompted to enter your base URL for Okta. Example: https://yourbiz.okta.com.
  6. After that, you’ll be prompted to authenticate with your Okta tenant. Copy the URL into a web browser.
  7. In the browser, click on Allow Access.

  8. The Linux terminal will display a message that installation is complete .

For more detailed information about the agent, refer to Okta’s Linux RADIUS agent documentation.

Configuring OpenVPN Admin Web UI RADIUS

Now you’ll configure OpenVPN Access Server to use Okta for credentials via RADIUS.

  1. Login to the OpenVPN Admin Web UI and click on Authentication > RADIUS. Click on User Radius then Update Running Server.
  2. Next, enter your RADIUS Authentication details. The following four are required. Other fields are optional.
Select RADIUS Authentication Method Select PAP
Hostname or IP Address Hostname or IP Address of your server with the Okta RADIUS agent
Shared secret The shared secret in the Okta RADIUS app
Authentication port The port in the Okta RADIUS app
  1. Click on Save Settings and Update Running Server.
  2. OpenVPN Access Server will now use Okta for login credentials.

Logging in to Client UI

When a user now logs in, they will use their Okta credentials as well as the MFA setup in the Okta admin panel.

  1. User goes to the OpenVPN Access Server Client UI in their browser, enters credentials and clicks Sign In.
  2. After clicking sign in, they see the MFA, based on what is set up with Okta (for example, using SMS).
  3. Once they complete the multi-factor authentication, they successfully log in and can choose the client or config file needed.

Troubleshooting

MFA is not setup in Okta admin panel:

If you encounter an error message, Access denied, or invalid creds, it may be that you haven’t completed the multifactor configuration in the security section of your Okta admin panel. Also, if you check the logging in your RADIUS app, you’ll see the error message, “User does not have a valid factor enrolled.”

This is because the RADIUS app has a requirement to use multifactor, through a default sign on rule:

To resolve the error, you can either set up Multifactor for users or create a new sign-on rule with a higher priority.

Setup Okta Multifactor

  1. In your Okta admin panel, go to Security > Multifactor.
  2. Set up and configure the MFA factor of your choice.

Create a rule that doesn’t require MFA for logging in

  1. From the Sign On tab for your RADIUS application, scroll to the bottom and click on Add Rule.
  2. Enter the new rule without the Multifactor box checked and click Save.
  3. Make sure your new rule is a higher priority than the default rule and your users will no longer be prompted for an additional authorization.

MFA causes user lockout in OpenVPN Access Server

If your user receives a ‘LOCKOUT’ error message when attempting to login, it may be due to the steps it takes to enroll in MFA through their OpenVPN Client UI. This is caused by Access Server's lockout policy. Refer to Authentication failure lockout policy for the default values and how to adjust settings. The steps below show you the error as received by the user.

If your user hasn’t enrolled in MFA yet, when they first login, they will be prompted:

  1. After entering their credentials, they are asked to login with MFA available.
  2. After enrolling, they are asked for a phone number.
  3. Once entering their phone number, they must then enter the code sent to their phone.
  4. They then receive a LOCKOUT message.

This happens because the CHALLENGES are seen as login attempts from the OpenVPN Access Server. If you review your logs in the Admin Web UI, you’ll see those.

If the user waits 15 minutes, they can then login again. In that case they will only go through the login credentials step and one MFA step.