Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Adryan_you
Staff
Staff

Created on ‎09-27-2024 01:06 AM Edited on ‎10-23-2025 08:28 AM By Moderator

Article Id 344984

Technical Tip: FortiGate and Okta RADIUS Integration

Description This article describes some integration details for FortiGate-Okta RADIUS
Scope FortiGate.
Solution

Okta can be used to authenticate user access using the RADIUS protocol. FortiGate can integrate with Okta RADIUS to manage the access.

 

For Okta RADIUS, domain-controller must be able to reach Okta (using 'Okta AD Agent' software), while FortiGate must be able to communicate to Okta via "Okta Server Agent" for authentication/authorization.

 

Note:

'Okta AD Agent' and 'Okta Server Agent' are different software:

 

OKTA-Radius-flow-001.png

 

After setting up the Okta account, the software 'Okta AD Agent' is installed in the domain controller. The domain controller communicates to the Okta account to import Active Directory (AD) user info into Okta. The 'Okta AD Agent' must have internet access to reach the Okta account.


Note:

It may require each AD user account to have this information to ensure it can be imported into Okta (Directory Integrations):

First Name, Last Name, Email@, Department

 

OKTA-Radius-002.png

 

Once AD users are imported to Okta, the Okta RADIUS Application is created to associate with the AD user/group.

In the application, the RADIUS Client UDP port and RADIUS secret-key is configured.

 

Note:

The RADIUS Client UDP port and RADIUS secret-key will be used later in the FortiGate RADIUS Server configuration.

 

OKTA-Radius-003.png

 

OKTA-Radius-004.png

 

The 'Okta Server Agent' software has to be installed in a computer/server that has internet access and can be reached by FortiGate. FortiGate as RADIUS Client communicates to Okta RADIUS via 'Okta Server Agent'. 

In FortiGate, configure the RADIUS server by navigating to User & Authentication -> Radius servers -> Create New. The secret-key, radius-port are similar to the configuration in the Okta RADIUS Application.

 

kb 29.1.PNG

 

OKTA-Radius-005.png

 

Once the RADIUS user group is created in FortiGate, which is associated with the RADIUS server above make sure to associate the RADIUS user group to the SSL VPN portal and the SSL VPN policy.

 

OKTA-Radius-006.png

 

OKTA-Radius-007.png

 

Result

Use the following command in FortiGate to perform auth-test. It will show as successful.

 

diagnose test authserver radius <server_name> <chap | pap | mschap | mschap2> <username> <password>

 

OKTA-Radius-008.png

 

SSL VPN Debug shows auth and connection successful and it can be verified by the following below debugs commands:

 

diagnose debug disable

diagnose debug reset
diagnose debug app fnbamd -1

diagnose debug app sslvpn -1
diagnose debug console time enable
diagnose debug enable

 

To disable the debug processes:

 

diagnose debug disable

diagnose debug reset

 

Debug output:


[5336:root:1c]sslvpn_authenticate_user:192 authenticate user: [ITuser001@jackieeden.com]
....
....
[5336:root:1c]Auth successful for user ITuser001@jackieeden.com in group OKTA_MFA_VPN_IT <-----

 

Related articles:

Troubleshooting Tip: SSL VPN Troubleshooting

Troubleshooting Tip: How to test FortiGate's radius user authentication to the RADIUS server

Troubleshooting Tip: RADIUS authentication troubleshooting
2167
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.