Install Okta RADIUS agent on Linux

This document describes the process of installing the Okta RADIUS Agent on Linux operating systems.

The Okta RADIUS server agent delegates authentication to Okta using single-factor authentication (SFA) or multifactor authentication (MFA).

A RADIUS client sends the RADIUS agent the credentials (username and password) of a user requesting access to the client. Authentication then depends on your org's MFA settings.

  • If MFA is disabled and the user credentials are valid, the user is authenticated.
  • If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one, for example Google Authenticator or Okta Verify, and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.

Topics

Supported Operating Systems

The Okta RADIUS agent has been tested on the following Linux versions:

  • Red Hat Enterprise Linux release 8.0, 8.3
  • CentOS 7.6
  • Ubuntu 18.04.4, 20.04.1 LTS

Requirements and limitations

Before you Begin

  • You must be able to sign in as root, or be able to execute root level commands using commands such as sudo.
  • During installation you are prompted to enter your Okta URL, for example https://mycompany.okta.com, and you'll be required to authenticate as an admin. Have your Okta tenant URL and admin credentials available and ready for use.
  • For more information about Okta RADIUS Agent Deployment, see Getting started with Okta RADIUS Integrations and RADIUS server best practices. For general information about Okta’s RADIUS Integrations, please see Okta RADIUS Integrations.

When installing the RADIUS Agent, you must be logged in to an account that either has both Read-only Admin, and App admin roles, or has the Super admin role.

In addition, Okta recommends the use of dedicated service account to authorize RADIUS agents. A dedicated account ensures that the API token used by the RADIUS agent is not tied to the life-cycle of a specific user account which could be deactivated when the user is deactivated. In addition, service accounts used for RADIUS agents must be given appropriate admin permissions.

Known Limitations

  • Proxy configurations must be configured directly in the agent configuration file.
  • Installation on ARM64 infrastructures is not currently supported.

Typical workflow

Task

Description
Download the RADIUS agent
  1. In the Admin Console, go to SettingsDownloads.
  2. Click Download Latest link next to the RADIUS installer that you want to download.
  3. Use one of the following commands to generate the hash on your local machine. Replace setup in the commands with the file path to your downloaded agent.
    • Linux: sha512sum setup.rpm
    • macOS: shasum -a 512 setup.rpm
    • Windows: CertUtil -hashfile setup.exe SHA512
  4. Verify that the generated hash matches the hash on the Downloads page.
Configuring RADIUS apps To enable RADIUS authentication with Okta, you must install the Okta RADIUS server agent and configure one or more RADIUS applications in the Okta admin console. Admin console RADIUS applications allow Okta to distinguish between different RADIUS-enabled apps and support them concurrently. In addition, Okta RADIUS applications support policy creation and assignment of the application to groups.

For more information on configuring the RADIUS App see RADIUS applications in Okta.
Installing the agent Install the RADIUS Linux agent
Configure proxies Configure proxies
Configure additional properties Configure properties

Restart the agent

 After any upgrade always stop and restart the RADIUS agent.
See restart in Manage the agent
Manage the agent

Manage the agent

Access and manage log files Access and manage log files
Uninstall the agent Uninstall the agent