This article describes how to setup a Radius server such as Okta as MFA on the Mainframe using Advanced Authentication Mainframe on an ACF2 secured system.

1. Configure the MFASTC started task: Configure the Started Task for ACF2
   
   
2. Define the RADIUS Agent (the system where AAM is running and planned to authenticate with the Okta credentials) to the Okta RADIUS Server. Follow instruction on how to Configure RADIUS Server
   
   
3. Define the RADIUS Server to RADIUS Agent. This is documented in Enable RADIUS Authentication through ACF2.
   
   For all steps in this section,  please use the RADIUS_RSA factor name as documented, even though RADIUS with Okta is going to be used. However, while proceeding to the MAABURAD job to define the RADIUS Server location to AAM, specify the details for Okta RADIUS Server instead of RSA's RADIUS Server: Update the Global Factor Record for ACF2 Using MAABURAD
   
   
4. After running MAABURAD job with the Okta Server's details proceed further to add the user profile MFA record using RADIUS_RSA as the factor name for users that is going to use the Okta PIN credentials. See 'Add User Profile MFA Record for RADIUS Users' section within Update the Global Factor Record for ACF2 Using MAABURAD
   
   
   

In order to Integrate ACF2 and Okta please perform following additional steps:

1. Turn ON password phrase support in ACF2 and enable password phrase for the MFA-controlled users.
   
   
2. Make sure at logon time users are using their 'okta_password,okta_token' (inside single quotes) when prompted to enter their password.

For more information please review Sign On When Using RADIUS Credentials with ACF2