Okta Agent - RADIUS Configuration - Authentication Manager - RSA Ready Implementation Guide
a year ago
Originally Published: 2021-11-02

This article describes how to add RSA as an authenticator for Okta Agent with RSA Authentication Manager using RADIUS.

     

Configure RSA Authentication Manager

Perform these steps to configure RSA Authentication Manager using RADIUS.
Procedure

  1. Sign in to the Security Console.
  2. Navigate to RADIUS > RADIUS Clients, click Add new, and provide the following details:
    1. Client Name: Give any suitable name.
    2. ANY client: Select the checkbox.
    3. IP address Type:  IPV4
    4. IPv4 Address: IP address of the machine where the Okta agent is installed.
    5. Make/Model: Standard Radius
    6. Shared Secret: This should be the same as what was configured in the Okta configuration.
  3. Click Save & Create Associated RSA Agent.

  

Note

To mitigate the Blast RADIUS vulnerability, ensure that the Message-Authenticator attribute flag is enabled. Perform the following steps: 

  1. Log in to the Operating console as an administrator.
  2. Navigate to Deployment Configurations > RADIUS Servers.
  3. Select the Manage Server Files option.
  4. Click the drop-down icon against the dynamic-clients file and click Edit.
  5. To enforce the use of Message-Authenticator attribute across all IPv4 and IPv6 clients, update all four entries of the Message-Authenticator attribute flag (&FreeRADIUS-Client-Require-MA) as follows: "&FreeRADIUS-Client-Require-MA = yes"
  6. Click Save& Restart RADIUS Server.

For more details on the RADIUS configuration file, refer to the RADIUS Reference Guide

 

Configure Okta

Perform the steps in this section to configure RSA as an authenticator in Okta.
Procedure

  1. Log in to Okta admin console.
  2. Click Security > Authenticators.
  3. Click Add Authenticator and select RSA.
  4. Download the Okta agent and install it on the machine. Ensure the machine where the agent is installed meets the hardware requirements. Note down the Instance ID to be used in the installation.
  5. Post successful installation, add the following details in the same form:
    1. Username format: Okta username prefix
    2. Hostname: IP address of the Authentication manager.
    3. Authentication Port:1812
    4. Shared Secret: This should be the same as what is given in the RSA configuration.
  6. Click Save.
  7. Navigate to Security > Authentication Policies.
  8. Make sure the policy for the Okta Admin Console app has RSA SecurID as an Additional factor type.

   

Notes

  • Ensure that the user used for testing the integration is created in Okta also. Navigate to Directory > People to create the user.
  • Ensure the application for Okta Admin Console is present and the admin user is assigned to the application.
  • Ensure the policy assigned to the application has RSA SecurID as the Additional factor type.
  • While testing the integration, provide the complete e-mail address of the user.

 

The configuration is complete.

Return to Okta Agent - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?