RADIUS Authentication with Okta

Introduction

Securing network access and controlling user authentication are very critical. Integrating Okta with SecureW2 improves network security by employing Cloud RADIUS and Okta’s enhanced authentication features. Cloud RADIUS’s principal authentication method is Digital Certificates, which allow for safe, passwordless network authentication. This article will walk you through the smooth integration of Okta Radius and SecureW2, focusing on configuring Cloud RADIUS for safe, passwordless network authentication. We’ll review how to utilize Okta RadSec and Okta 802.1x to provide safe and efficient communication between your identity provider and the RADIUS server.

This thorough guide covers everything you need to know to improve network security and ease user authentication, from building SAML apps to enabling dynamic Cloud RADIUS lookups via OAuth.

Integration Process Overview

  1. Create an Okta Identity Provider in SecureW2
    • The Identity Provider provides context that tells the Cloud Connector system how to connect to the Okta user database, verify users, and issue certificates.
  2. Create a SAML Application in Okta
    • When users enter their Okta credentials during the certificate enrollment process, the IDP verifies the user and sends user attributes to SecureW2 via SAML application. Once the attributes have been sent to SecureW2, the user can be issued a customized certificate that is tied to their identity and the identity of their device.
  3. Configure Your Okta User Policies in SecureW2
    • With users organized into user groups, you can begin to customize policies that dictate the network user experience. Admins can begin determining which applications, files, websites, and more that each user group should have access to
  4. Configure Attribute Mapping
    • Administration can customize the attribute mapping in order to segment network users into alike groups. For example, a university would want separate user groups for students and professors, so they configure the attributes to automatically sort users into either of these groups. After mapping attributes, the Okta metadata is uploaded to segment the network.
  5. Set Up RADIUS Lookup via OAuth
    • Cloud RADIUS empowers organizations with certificates because it’s the only RADIUS server that can securely communicate with Cloud Identity Providers (IDP). Admins no longer have to reissue brand new certificates in case a user’s policy changes and the system will update immediately.

Create an Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device.

Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

To create an IDP in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. For Name, enter a name.
  4. For Description, enter a description.
  5. Click the Type dropdown and select SAML.
  6. Click the Saml Vendor dropdown and select OKTA.
  7. Click Save.


Now, SecureW2 Cloud Connector knows how to exchange information with your Okta user database.

Create a SAML Application in Okta

Your SAML application is a crucial connection between your IDP and SecureW2.

Your SAML application allows a user to enter their Okta credentials, which are then passed to your IDP for verification. Your IDP verifies the user’s identity and then sends attributes to your SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application to use with SecureW2:

  1. From your Okta dashboard,  go to the Dashboard page.
  2. Under Shortcuts, click Add Applications.
  3. Click Create New App.
  4. In the Create a New Application Integration prompt:
    1. Click the Platform dropdown and select Web.
    2. For Sign on method, select the radio button for SAML 2.0.

  1. Click Create.
  2. On the 1 General Settings step, for App name, enter a name.
  3. Click Next.
  4. In a new browser tab/window, log into your SecureW2 Management Portal and go to Identity Management > Identity Providers.
  5. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  6. Select the Configuration tab.
  7. Copy and paste as follows:
    1. From SecureW2, copy the information for ACS URL and EntityId, and
    2. Paste respectively into Okta (2 Configure SAML step) for Single sign on URL and Audience URI (SP Entity ID).
  8. Click Next.
  9. On the 3 Feedback step, for Are you a customer or partner?, select the appropriate radio button.
  10. Click Finish.

Configure Your Okta Policies in SecureW2

Configure your Okta rules in the SecureW2 platform to guarantee smooth integration and comprehensive security. This procedure entails upgrading the numerous policies that govern how users and devices interact with your network. Integrating SecureW2’s profile, user role, and enrolment policies with Okta’s identity provider can simplify user administration and improve network security. This section walks you through changing your profile, user role, and enrolment policies to reflect Okta modifications, resulting in a more integrated and secure network access experience.

Update the Profile Policy in SecureW2

To update the profile policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Profile.
  2. Click Edit for the profile policy.
  3. Select the Settings tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

Update the User Role Policy in SecureW2

To update the user role policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > User Roles.
  2. For DEFAULT ROLE POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. Click the Identity Provider dropdown and select the IDP you created in the section “Create an Identity Provider in SecureW2”.
  5. Click Update.

Update the Enrollment and Role Policies in SecureW2

To update the enrollment policy in SecureW2:

  1. From your SecureW2 Management Portal, go to Policy Management > Enrollment.
  2. For DEFAULT ENROLLMENT POLICY 1, click Edit.
  3. Select the Conditions tab.
  4. In the User Role list, select DEFAULT ROLE POLICY 1.
  5. In the Device Role list, select DEFAULT DEVICE ROLE POLICY 1.
  6. Click Update.

Configure Attribute Mapping in Okta

Proper attribute mapping is critical to ensure user data between Okta and SecureW2 is sent correctly. This method entails customizing Okta characteristics to match the information required by SecureW2 for user authentication and authorization. Setting up attribute mappings effectively allows for smooth integration and ensures that user attributes such as email, first name, and last name are regularly and accurately replicated throughout your systems. This section describes establishing these mappings in Okta and SecureW2, resulting in efficient user management and secure access control.

To configure attribute mapping in Okta:

  1. From your Okta dashboard, go to the Applications page.
  2. Click the SAML application you created in the section “Create a SAML Application in Okta”.
  3. Select the General tab.
  4. In the SAML Settings section, click Edit.
  5. On the 1 General Settings step, click Next.
  6. On the 2 Configure SAML step, in the ATTRIBUTE STATEMENTS (OPTIONAL) section, configure attributes:
    1. For Name, enter ‘email‘, and for Value, select ‘user.email‘.
    2. Click Add Another.
    3. For Name, enter ‘firstName‘, and for Value, select ‘user.firstName‘.
    4. Click Add Another.
    5. For Name, enter ‘lastName‘, and for Value, select ‘user.lastName‘.
  7. Click Preview the SAML Assertion.
  8. Copy the .xml data that appears.
  9. Open a text file and paste the .xml data into the file.
  10. Save the file using the .xml extension.

Upload the Okta Metadata to SecureW2

To upload the Okta metadata to SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Configuration tab.
  4. Under Identity Provider (IDP) Info, for Metadata, click Choose File.
  5. In the window that appears, select the Okta metadata file (.xml) you saved to your computer in the previous section.
  6. Click Upload.
  7. Click Update.

Configure Attribute Mapping in SecureW2

To configure attribute mapping in SecureW2:

  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
  2. Click Edit for the IDP you created in the section “Create an Identity Provider in SecureW2”.
  3. Select the Attribute Mapping tab.
  4. Click Add.
  5. For Local Attribute, enter ‘upn‘.
  6. Click the Remote Attribute dropdown and select USER_DEFINED.
  7. In the field that appears, enter ‘email‘.
  8. Click Next.
  9. Click Add.
  10. For Local Attribute, enter ‘email‘.
  11. Click the Remote Attribute dropdown and select USER_DEFINED.
  12. In the field that appears, enter ‘email‘.
  13. Click Next.
  14. Click Add.
  15. For Local Attribute, enter ‘displayName‘.
  16. Click the Remote Attribute dropdown and select USER_DEFINED.
  17. In the field that appears, enter ‘firstName‘.
  18. Click Next.

How to Set Up Dynamic Cloud RADIUS Lookup via OAuth

Cloud RADIUS can be configured to communicate with your Okta directory and enforce user policies at the time of authentication. Cloud RADIUS empowers organizations with certificates because it’s the only RADIUS server that can securely communicate with Cloud Identity Providers (IDP). Admins no longer have to reissue brand new certificates in case a user’s policy changes and the system will update immediately.

Create a Web Application

  1. Login to Okta
  2. Navigate to Applications
  3. Click Create New Applications
  4. Select Web as the Platform and click Next
  5. Configure the following settings:
    • Note: Use your unique SecureW2 Organization URL as the Login Redirect URI, followed by /auth/oauth/code.Note: You don’t need to enter in a Base URI.
  6. Click Save.
  7. Scroll down to Client Credentials.
  8. Copy and save the Client ID.
  9. Copy and save the Client Secret.

Okta API Scopes

Lastly, we need to give this application permission to access the data in our Okta directory.

  1. Navigate to Okta API Scopes under the Manage section.
  2. Grant the following API Scopes:
    • Okta.users.read
    • Okta.groups.read

Creating an Okta API Token

  1. Log in to the Okta portal.
  2. On the left pane, from the Security menu, select API.
  3. Click Tokens and on the displayed screen, click the Create Token button.
  4. Enter a name for the token and click Create Token.
  5. The following screen is displayed, copy the token value on your console.

Create an Identity Lookup Provider

An identity provider (IDP) is the system that proves the identity of a user/device. Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Okta user database, verify user credentials, and issue certificates.

During the authentication process, identity lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider.

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. In the Basic section:
    • Enter a name for the lookup provider.
    • Optional: Enter a description.
    • From the Type dropdown list, select OKTA Identity Lookup.
  4. Click Save.
  5. Click Configuration while still in the Identity Provider edit menu.
    • For Provider URL enter your Okta organization URL.
  6. In the API Token field, enter the token you obtained from the Okta portal.
  7. Click Update.

Adding Attributes

To add a custom attribute to the identity lookup provider, follow the given steps.

  1. Click the Attribute Mapping tab. The following screen is displayed.
  2. Click Add.
    • In the Local Attribute field, enter a name for the attribute.
    • In the Remote Attribute field, select the attribute to be mapped to the Local Attribute. If you select USER_DEFINED, enter a value to be mapped.
  3. Click Next to create the custom attribute with the appropriate mapping.

Configuring Groups

Cloud RADIUS can perform a User Group Lookup. So, we can create network access policies based on the groups a user is in.

  1. Navigate to the Groups tab.
  2. Click Add.
    • Create any name for Local Group.
    • This name will be what shows up later as our ‘Group’ in the SecureW2 Management Portal when we configure policies.

Enhancing Network Security with Okta and SecureW2 Integration

Integrating Okta as an Identity provider with SecureW2 provides a powerful, secure network authentication and administration solution. You can use Okta Radius and Okta RadSec to ensure safe, password-free access and efficient user management throughout your network. Implementing Okta 802.1x and dynamic RADIUS lookups via OAuth strengthens your security posture by delivering real-time updates and smooth user experiences. SecureW2’s complete approach to certificate issuance and policy administration complements Okta’s superior authentication capabilities, resulting in a powerful synergy for your organization.

To explore how SecureW2 can improve the security of your network or to receive more support, contact us.

FAQ's

How To Setup Okta RADIUS Agent?

To configure the Okta RADIUS Agent, first install it on a Windows or Linux server. There are detailed installation guidelines for both platforms, "Install Okta RADIUS Server Agent on Windows" and "Install Okta RADIUS Agent on Linux." After installing the agent, set up multifactor authentication (MFA) for your users, as most RADIUS apps allow. To do so, log in as an administrator to your Okta tenant, then go to Security > Multifactor and add any necessary extramultifactor policies.

For further information, see the Multifactor Authentication documentation. Once MFA is set up, create an Okta application and then install and configure the RADIUS Agent according to the instructions provided for your platform. This will guarantee that your RADIUS Agent is configured appropriately and linked with Okta for safe authentication.

Does Okta Support RADIUS Authentication?

Yes, Okta supports RADIUS authentication. The Okta RADIUS Server Agent integrates with RADIUS-enabled devices and applications, offering secure multifactor authentication (MFA) for network access. For example, by integrating with SecureW2 Cloud RADIUS, organizations may utilize Okta's identity and access management features to authenticate users using RADIUS by installing the Okta RADIUS Agent on a Windows or Linux server. This integration enables a wide range of MFA techniques, increasing security while keeping user comfort. Detailed setup procedures for both operating systems are available to guarantee that the Okta RADIUS Agent is configured and deployed smoothly.

How To Set Up Dynamic Cloud RADIUS Lookup via OAuth?

To enable Dynamic Cloud RADIUS Lookup using OAuth, create an online application in Okta with the platform set to online, then define the sign-on mechanism using SAML 2.0. The login redirect URI should contain your unique SecureW2 organization URL. After saving, enable API scopes like Okta.users.read and Okta.groups.read. Create and save an API token in Okta. In SecureW2, build an Identity Lookup Provider by selecting OktaIdentity Lookup and configuring it with your Okta organization URL and API token. This configuration supports Okta RADIUS, Cloud RADIUS, Okta RADsec, and Okta 802.1x authentication.

How To Create a SAML Application in Okta?

First, to construct a SAML application in Okta, determine the target application's Single Sign-On URL (SAML Assertion Consumer Service URL) and Audience URI (SP Entity ID). Log in to the Okta Admin Console, select Applications > Applications, and click "Create App Integration." Select "SAML 2.0" and then move to the following stage, where you will input an application name. In the SAML Settings section, enter the Single Sign-On URL  and Audience URI, then choose "I'm an Okta customer adding an internal app." Complete the setup as instructed by Okta.

Once the app has been built, click on its name, navigate to the Sign On page, and look for the SAML 2.0 area. Click "Identity Provider metadata" to copy the metadata. The SAML application should then construct the URL using this metadata. Following these procedures will result in a seamless connection of your Okta SAML application for safe authentication.

How To Configure Various Okta Policies Using SecureW2 Portal?

To configure multiple Okta policies using the SecureW2 portal, first log into the SecureW2 Management Portal. Navigate to Policy Management and set the profile policy for Okta RADIUS by selecting the appropriate Identity Provider (IDP). Update user role policies by clicking the Conditions tab and selecting the relevant IDP. Similarly, change the enrolment policies to match user and device roles. Go to the IDP settings and map local attributes to Okta attributes for attribute mapping. This configuration supports Cloud RADIUS, Okta RadSec, and Okta 802.1x authentication, guaranteeing secure and manageable network access.

What Is Radsec, and How Does It Work to Improve the Security of Okta Identity Provider?

RadSec is a protocol that improves the security of RADIUS communications by encrypting data sent between RADIUS clients and servers with TLS (Transport Layer Security). In the context of Okta, RadSec protects Okta RADIUS and Cloud RADIUS interactions by encrypting sensitive authentication data to avoid eavesdropping and manipulation. Organizations may safeguard 802.1x network access authentication using Okta RadSec, which provides comprehensive security for identity verification operations. This encryption layer improves the overall security of the Okta Identity Provider by protecting user credentials and providing secure network access.

CTA Background