An Okta RADIUS server agent is a lightweight program that runs as a service outside of Okta. It is usually installed outside of a firewall which gives Okta a route to communicate between an on-premise server and Okta’s cloud network.
Okta employs a handful of different types of agents with varying uses, including:
- Active Directory
- RADIUS Password Sync
The Okta RADIUS Server agent delegates authentication to Okta using single-factor authentication (SFA) or multi-factor authentication (MFA). It installs as a Windows service and currently supports the Password Authentication Protocol (PAP).
Can I Use Okta RADIUS Agent For Wi-Fi?
In its current iteration, the Okta RADIUS agent does not support WiFi infrastructure. The Okta RADIUS Server agent is most often used for authentication when authentication is being performed by a VPN that does not support SAML.
However, you can use your Okta directory to enroll for certificates that can be used to authenticate against a RADIUS server. We provide this service to customers all the time, by providing software to tie Okta to our PKI, providing mechanisms for end-users to use their Okta credentials to self-service themselves for certificates, and also providing a RADIUS server.
How Can I Use Okta With RADIUS?
Okta RADIUS can distinguish the different RADIUS applications you use and support them all simultaneously by setting up an Okta RADIUS app for each configuration. Okta RADIUS also allows you to create policies to organize end-users into groups that are given access to different applications.
How Do I Set Up Okta RADIUS Agent?
To install the Okta RADIUS agent:
- From your Administrator Dashboard, select Settings > Downloads > Okta RADIUS Server Agent.
- Click the Download button and run the Okta RADIUS installer.
- Proceed through the installation wizard to the “Important Information” and “License Information” screens.
- Choose the Installation folder and click the Install button.
- On the Okta RADIUS Agent Configuration screen, enter your RADIUS Shared Secret key and RADIUS Port number. If you are using the RADIUS application, these elements are not required.
- On the Okta RADIUS Agent Proxy Configuration screen, you can optionally enter your proxy information. Click the Next button.
- On the Register Okta RADIUS Agent screen, enter the following: Choose your org version.
- If setting this up to test on your Okta Preview Sandbox org, you’ll need to enter the complete URL for your org. For example: https://mycompany.oktapreview.com
- Enter Subdomain – For example, if you access Okta using https://mycompany.okta.com, enter “mycompany”, as described below.
- For Windows Server 2008 R2 Core only: Open a browser and add the provided URL into the address field. This authorizes the installer to use Okta.
- Click the Next button to continue on to an Okta Sign In page.
- Sign in to the service-specific Okta account on the Sign In screen.
- Click the Allow Access button.
- The confirmation screen appears. Click the Finish button to complete the installation.
- Configure a RADIUS app in Okta to configure the RADIUS agent port, shared secret, and advanced RADIUS settings.
Okta’s LDAP Agent
LDAP (Lightweight Directory Access Protocol) is an industry-standard protocol used for accessing and maintaining distributed directory information services. Okta’s LDAP Interface allows for cloud-based LDAP authentication rather than authentication from an on-premise server.
Furthermore, the agent allows you to use your LDAP server for networking applications like Wi-Fi while using your Okta for SAML applications like web apps.
Okta, Dynamic RADIUS, and Directory Communication
During a typical RADIUS authentication event, the RADIUS communicates with the CRL to ensure that only approved users are able to access the network. This leads to a very slim window of opportunity for unapproved users to access the network. On the rare occasion of human error where an IT staff forgets to revoke a certificate, that unapproved user can still access the network.
With Dynamic RADIUS from SecureW2, the RADIUS is able to communicate directly with the directory to ensure only approved users are authenticated. It acts as a secondary level of approval where the RADIUS checks the CRL and the directory to confirm whether a user is still active. For organizations with thousands of certificates, this added protection is key to maintaining network integrity.
In addition to the security benefits, it enables policy enforcement at the moment of authentication. So if a user gets a promotion, and requires a different level of network security, they will automatically have it applied by the RADIUS server the instant they are updated in the directory. Curious about our Dynamic Cloud RADIUS? Contact us here to learn more.
Use Okta as SSO for 802.1x Certificate Enrollment
Okta enables you to provide SSO access to cloud, on-premise, and mobile applications. This is especially useful when combined with SecureW2’s EAP-TLS certificate solutions. Okta can be easily integrated with SecureW2 which allows users to be equipped with certificates for authentication, the highest form of security.
As users enroll for a certificate through SecureW2’s onboarding software, they enter Okta credentials and are confirmed for network use. The certificate is then imprinted with the user’s identity and the device identity can be automatically authenticated by the network for all future authentication requests.
You can also use Okta with Cloud RADIUS to further enhance the user experience. The identity context and rapid authentication of certificates ensure that your network is well-organized and protected from any potential threat. Click here to see how SecureW2 works with Okta to simplify and strengthen network security.