Skip to content

bdalpe/RADIUS-to-Okta-MFA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

183 Commits

.github

.github

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

dictionary

dictionary

 
 

docker-compose.yml

docker-compose.yml

 
 

okta.py

okta.py

 
 

radius_tester.py

radius_tester.py

 
 

requirements.txt

requirements.txt

 
 

run.sh

run.sh

 
 

server.py

server.py

 
 

tests.py

tests.py

 
 

Repository files navigation

OKTA Radius to MFA Gateway

I ran into an issue with Okta and the Remote Desktop Gateway/Network Policy Server not working correctly. This program overcomes the issues and allows for you to enforce multi-factor authentication on connections made through the RD Gateway.

Some assumptions were made when designing this program. This program only supports the Okta Push verification method. A user must already be setup/enrolled with a push factor. Second, no group enforcement is currently done on the Okta side. You must control access to your Remote Desktop services through the NPS.

Requirements

You will need the following information:

  1. Your Okta tenant url (e.g. planet-express.okta.com)
  2. An API key from your tenant
  3. The shared RADIUS secret the calling station

Setup and Run

Standalone

To run the program standalone:

Ensure Python >=3.8 is installed. Edit the environment variables in the run.sh script.

pip3 install -r requirements.txt
/bin/sh run.sh

Docker Container (Recommended)

To run the program using Docker:

Edit the environment variables in the docker-compose.yml file. Then run:

docker-compose up -d

API Permissions

To follow security best practices, I recommend using the least privileged account permissions possible. To make this program work with Okta, a Help Desk Administrator level account is required. It is not recommended that you use an API key tied to a superadmin or org admin.

Using samAccountName to Find a User

By default, the server will use the Okta username to locate the user record, however some systems use samAccountName as the username identifier. To locate user records in Okta by the samAccountName attribute, add the following to your run.sh:

export OKTA_USE_SAMACCOUNTNAME=true

Poll Timeout

To reduce the likelihood that a user is prompted multiple times for a single authentication request, requests to the Okta verify endpoint are threaded. Internally, state is kept for each user_id that is authenticating. If multiple requests are received before the user has responded to the push challenge and the OKTA_POLL_TIMEOUT window has not expired yet, the subsequent requests will wait for the first request to complete and return the same result.

To customize the timeout period for the verification request, set the OKTA_POLL_TIMEOUT environment variable. Default setting is 60 seconds.

export OKTA_POLL_TIMEOUT=60

About

A utility to support Windows Remote Desktop Gateway MFA with Okta.

Topics

radius okta

Resources

Readme

License

MIT license
Activity

Stars

8 stars

Watchers

3 watching

Forks

3 forks
Report repository

Packages 1

 

Contributors 4

  •  
  •  
  •  
  •  

Languages