Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Troubleshoot Okta RADIUS Internal Server Error

Key Points
  • Okta is an Identity and access management solution for enterprises. The user experience is generally excellent, but you may face some common errors.
  • Some common internal server errors are “Okta RADIUS Agent Installation Error,” “Okta RADIUS Agent failed,” and “RADIUS authentication failure despite correct credentials.” These errors can be mitigated by following the simple steps in this guide.
  • Alternatively, you can deploy a CloudRADIUS with a solid technical support team for smooth certificate-based authentication that natively integrates with your Okta directory.

Okta is one of the leading Identity and Access Management (IAM) service providers for enterprises around the globe. They provide a great user experience, but sometimes you might encounter some RADIUS errors due to some technical glitches in the server. These errors can ruin the seamless integration of your enterprise with Okta and must not be ignored.

Although most of these errors are resolvable, they still require a deep technical understanding or a good support team. Here, we will help you figure out some major RADIUS Server errors users face while integrating with Okta and their practical solutions.

Okta RADIUS Agent Installation Error: Failed to set server status

In this RADIUS installation error, the Okta Agent fails when starting the service and the following errors appear in the commons-daemon logs report:

  • [error] [388] Failed to set service status
  • [error] [388] The handle is invalid.

This error is caused by a failed RADIUS installation attempt and is generally resolved by following the instructions of the Okta support.

Remove the RADIUS directory from the affected server:

  1. Navigate to C:\Program Files (x86)\Okta.
  2. Delete the Okta RADIUS Agent folder.

Remove the API Tokens via the Okta UI:

  1. Navigate to Admin –> Security –> API.
  2. Filter tokens via RADIUS Agent on the left-hand pane.
  3. Delete each token that matches the RADIUS server hostname.

 If the RADIUS installation error is still not resolved, try some of these other potential fixes:

  • Ensure that you installed the Okta RADIUS Agent on one of the supported Windows or Linux versions for Okta RADIUS:
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
  • The Okta RADIUS agent does not support Windows versions 2008, 2008 R2, and 2003 R2.
  • The Okta RADIUS agent has been tested on the following Linux versions:
    • Red Hat Enterprise Linux release 8.0, 8.3
    • CentOS 7.6
    • Ubuntu 18.04.4, 20.04.1 LTS
  • Try using the full Okta URL under “Custom” instead of just the subdomain under “Production” in the installer.
  • Check for the presence of a proxy server (because the RADIUS Server Agent installer is sensitive about proxies).
  • Try checking for an SSL interception device like Palo Alto or FireEye. This issue is related to certificate pinning and affects all agents.
  • Try a different server in a similar environment to eliminate any local machine issues.
  • Ensure no leftover files are under c:\program files (x86)\Okta\Okta RADIUS\ from a previously failed install.
  • Check Windows services.msc to ensure there isn’t an Okta RADIUS service leftover from a previous installation.
  • Try another version of the RADIUS Server Agent, like the latest EA version.

Okta RADIUS Agent Failed

There are a few instances where, after installing Okta RADIUS Agent, you may get the following error message:

 

2020-02-19 20:13:03 UTC [EC2AMAZ-PN6BAAU, pool-1-thread-4] : ERROR – Failed to get radius apps from Okta com.okta.ragent.exception.OktaRadiusException: com.okta.ragent.exception.OktaAuthException: You do not have permission to perform the requested action.

 This error often occurs when the Okta RADIUS service account does not have the permissions set up correctly in Okta and is generally resolved by following these instructions from Okta support.

  1. Navigate to the Okta Admin Console.
  2. Click Security > Administrators.
  3. Ensure the RADIUS service account is added to the Administrators list and set as a SUPER Admin.

This should successfully grant sufficient permissions. Occasionally, you might face the issue of an unreachable RADIUS agent where the RADIUS Server Agent is running, but the RADIUS client device cannot reach it. This issue is different from failing logins and can usually be sorted by following these instructions from Okta support.

  • Check the Okta RADIUS logs under C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\logs\ to see if any connections are being made. Any contact, even failed ones, should show up.
  • Double-check the server name/server IP, entered into the VPN device just to make sure it was typed correctly.
  • Verify the status of the Windows firewall on the Okta RADIUS Server Agent server to make sure it is not blocking the connection.
  • Verify that the VPN device and the server can reach each other via ping or confirm the connectivity from a network admin.
  • Configure the RADIUS server using the IP address instead of the hostname. Some networks where DNS is limited can not resolve the hostnames.
  • Determine if network layer issues prevent connection with a network engineer or the admin.

RADIUS authentication fails even though correct credentials are specified

You might encounter this error when the RADIUS Server Agent rejects valid login attempts. There are several possible causes for this error, but including special characters in RADIUS secret is the most common one. You can resolve this error by simply removing the special characters from the RADIUS secret.

If that wasn’t the issue, try some of these other solutions from Okta support.

  • Check if the RADIUS Server Agent is rejecting valid login attempts.
  • Verify if the user is assigned to the RADIUS App in Okta.
  • Verify whether the user is enrolled in MFA.
  • Verify the shared secret on both the Okta RADIUS Server Agent and the VPN device. A mismatch will cause all authentications to fail.
  • Check the local RADIUS logs for any errors that could indicate an expired API token.
  • If you see an unusual username in the logs (the log shows “Á” instead of “Bob”), it indicates that the server is using MSCHAPv2 to encode the username. You must verify the VPN device configuration to ensure only PAP authentication is enabled.
  • Check the VPN device configuration to make sure only PAP authentication is enabled.
  • Check the Okta Syslog to verify the reasons for the rejection of the connection.
  • Check VPN device for any settings that could/would restrict login.

SecureW2 offers practical technical support to these drawbacks with its innovative Cloud RADIUS, designed from the ground up for passwordless authentication and vendor-neutrality, allowing for seamless integration with virtually any IDP. It follows EAP-TLS passwordless authentication and works with IDPs like Azure AD, Okta, and Google to provide high privilege access.

Cloud RADIUS Native Integration with Okta

With SecureW2, your organization can deploy a top of a line, RADIUS-backed network fully functional in a matter of hours. With our Turnkey Managed PKI, 802.1x Onboarding, and Cloud RADIUS Server, you can smoothly configure secure certificate-based authentication with your Okta directory.

Secure W2 also has a fantastic support team that’s ready to assist you with any help you may need. We work with all cloud-based SAML providers to eliminate any headaches traditionally associated with integration. Check out our Okta Solutions page to see how we can boost your network security.

Tags: okta
Learn about this author

Vivek Raj

Vivek is a Digital Content Specialist from the garden city of Bangalore. A graduate in Electrical Engineering, he has always pursued writing as his passion. Besides writing, you can find him watching (or even playing) soccer, tennis, or his favorite cricket.

Troubleshoot Okta RADIUS Internal Server Error