This article describes how to add RSA as an authenticator for Okta Agent with RSA Cloud Authentication Service using RADIUS.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using RADIUS.
Procedure

1. Sign in to RSA Cloud Authentication Console with administrator credentials.
2. Navigate to Authentication Clients > RADIUS.
3. Click Add Radius Clients and Profiles.
4. On the Add RADIUS Client page, provide the following details:
   1. Name: Any name for your RADIUS client.
   2. IP Address: IP address of the machine where Okta agent is installed.
   3. Shared Secret: This should be same as what is given on the Okta side.
   4. Under Authentication Details, choose Cloud Authentication Service only applies access policy for additional authentication.
   5. Enable the options as shown in the following image.
      
   6. Select your configured policy.
5. Click Save and Next Step.
6. Click Finish and click Publish Changes.

Notes

• To mitigate the Blast RADIUS vulnerability, ensure the Message-Authenticator attribute flag is enabled when configuring the RADIUS client.
• Perform the following steps to copy the Management IP address:
  1. Navigate to Platform > Identity Routers.
  2. Expand the Identity Router and note down the Management IP address to be used in the Okta configuration.
     

Configure Okta

Perform the steps in this section to configure RSA as an authenticator in Okta.
Procedure

1. Log in to Okta admin console.
2. Click Security > Authenticators.
3. Click Add Authenticator and select RSA.
4. Download the Okta agent and install it on the machine. Ensure the machine where the agent is installed meets the hardware requirements. Note down the Instance ID to be used in the installation.
   
5. Post successful installation, add the following details in the same form:
   1. Username format: Okta username prefix
   2. Hostname: Management IP address of the Identity Router. Refer to the Notes section in RSA configuration on how to find this.
   3. Authentication Port:1812
   4. Shared Secret: This should be the same as what is given in the RSA configuration.
      
6. Click Save.
7. Navigate to Security > Authentication Policies.
8. Make sure the policy for the Okta Admin Console app has RSA SecurID as an Additional factor type.
   

Notes

• Ensure that the user used for testing the integration is created in Okta also. Navigate to Directory > People to create the user.
• Ensure the application for Okta Admin Console is present and the admin user is assigned to the application.
• Ensure the policy assigned to the application has RSA SecurID as the Additional factor type.
  
• While testing the integration, provide the complete e-mail address of the user.

The configuration is complete.

Return to Okta Agent - RSA Ready Implementation Guide.