How to setup Radius server OKTA authentication through CA ACF2 using Advanced Authentication Mainframe/MFA?

book

Article ID: 198316

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

As of now RSA Radius server is used as MFA in Development environment. How to use Radius OKTA as MFA?

Does ACF2 accept OKTA TOKEN/PIN as password?

Please provide guidelines on how to proceed with configuring Advanced Authentication Mainframe to use Okta RADIUS Server for authentication.

 

Environment

CA ACF2 Release : 16.0

CA ADVANCED AUTHENTICATION MAINFRAME 2.0

Component : CA ACF2 for z/OS

 

Resolution

Complete the Installation and configuration of the started task for AAM (MFASTC by default) before moving forward with OKTA Radius server setup. Thereafter, Follow these steps:

1. Define RADIUS Agent (The system where AAM is running and planned to authenticate with the Okta credentials) to  Okta RADIUS Server. Follow instruction on how to Configure RADIUS Support

2. Define the RADIUS Server to RADIUS Agent. This is documented in the "Enable CA Advanced Authentication Mainframe" heading under "Using". Please follow the "SetUpControlOverRADIUSAuthentication" section.

For all steps in this section,  please use the RADIUS_RSA factor name as documented, even though RADIUS with OKTA is going to be used. However,while proceeding to the MAABURAD job to define the RADIUS Server location to AAM, specify the details for OKTA RADIUS Server instead of RSA's RADIUS Server.

3. After running MAABURAD job with the OKTA Server's details proceed further to add the user profile MFA record using RADIUS_RSA as the factor name for users that is going to use the OKTA PIN credentials. 

 

In order to Integrate CA ACF2 and OKTA please perform following additional steps:

1. Turn ON password phrase support in ACF2 and enable password phrase for the MFA-controlled users.

2. Make sure at logon time users are using their 'okta_password,okta_token' (inside single quotes) when prompted to enter their password.

 

Additional Information

For more information please review 

Sign On with Multi-Factor Authentication Credentials (CA ACF2)