OKTA and WTI Unit Configuration
WTI supports OKTA 2FA through the OKTA Radius Agent and Application.
You need to load the OKTA Radius Agent onto a Windows Server that acts as a shim between the WTI unit and the OKTA service.
In other words on the WTI Device you point the RADIUS parameters to the OKTA Radius Agent running on a Windows server, then the OKTA Radius Agent points to the Radius Application on you OKTA Radius Application on your online account.
In this demo:
- WTI Device is 192.168.100.53
- OKTA Radius Agent/Windows Server: 192.168.100.69
- OKTA Radius Application: syncpak.okta.com
- On your Mobile Phone the OKTA Verify App
1. Install the OKTA Radius Agent on a Windows Server
Note the "Shared Secret" and "Radius Port"
2. Login to your Okta account, and get into the "Admin" section.
- Click on the Applications tab
- Make sure you have the "Radius Application",
- If not then click on "Add Application" and in the search box type in "RADIUS Application"
- click Add Your Secret Key and UDP Port should match the settings in Step 1
3. After you install the OKTA RADIUS Application we need to add some users. Click on the Applications tab and click on the "RADIUS Application"
Click on the "Assign" button and assign some users to the Radius Application
4. The users just added will need to have the OKTA Verify app installed on their mobile phone and sync’d to your OKTA account.
5.The flow for Radius session will be :
- User sends credentials to VPN device connected to Okta via RADIUS
- VPN device forwards user credentials to the Okta RADIUS Server Agent
- Okta RADIUS Server Agent uses Okta APIs to validate credentials
- Okta validates user credentials
- Okta APIs respond with MFA challenge based on configured policy
- RADIUS Server Agent sends challenge to VPN device
- VPN device presents RADIUS challenge to end user
- VPN device sends RADIUS challenge response to Okta RADIUS
- Okta RADIUS sends response to Okta APIs to be validated
- Okta APIs respond with correct/incorrect for the response
- Okta RADIUS sends ACCEPT or REJECT to the VPN device
6. WTI Device setup using the /N command and select option 29.
1. Enable: On
2. Primary Host/Address: 192.168.100.69
3. Primary Secret Word: (defined)
4. Secondary Host/Address: (undefined)
5. Secondary Secret Word: (undefined)
6. Fallback Timer: 3 Sec
7. Fallback Local: On (All failures)
8. Retries: 3
9. Authentication Port: 1812
10. Accounting Port: 1813
11. Default User Access: On
12. OneTime Auth: On
13. OneTime Auth Timer: 30
14. OneTime Auth Type: Cookies
15. Session Module Type: Enable
16. Debug: Off
17. Ping Test
Enter: #<CR> to change,
<ESC> to return to previous menu ...
5. Login to the unit using SSH enter your username defined in the RADIUS Application. Then at the password prompt, enter your password then a comma now the current code on your OKTA Verify app for your account.
Note: Under the OKTA Radius application configuration; the option for single line entry for password and token separated by comma was enabled. (See advanced Radius settings/Authentication).
Putty Log IN:
login as: Username
Keyboard-interactive authentication prompts from server:
Console Server Site ID: (undefined)
Voltage (A/B): ON/OFF
Enter /H for command menu. System Temperature: 77F