Okta RADIUS only supports PAP-based authentication, which OpenVPN Access Server supports. Can someone help me understand how this makes any amount of sense??? (both how Okta can justify implementing this and how OpenVPN can support this?)
You would commonly see PAP used on ancient operating systems or legacy systems. And it’s very unusual to see PAP used by itself these days. That’s because PAP communicates in the clear. So there’s no encryption or any additional security of the information you’re sending using this Password Authentication Protocol.
As for thought around the point of having it set up with RADIUS in the first place, you would think that MFA would have to be mandatory since you are sending your credentials in the clear...however, that is not the case their documentation.
If MFA is not enabled and the user credentials are valid, the user is authenticated. If MFA is enabled and the user credentials are valid, the user is prompted to select a second authentication factor. The user selects one (e.g., Google Authenticator or Okta Verify) and obtains a request for a validation code. If the code sent back to the client is correct, the user gains access.
I saw reading through their documentation that Okta uses SSL pinning. Still, I fail to see how that would be helpful since the communicating VPN solution is not going to send this over in some sorted encapsulated format? (Or am I misunderstanding?)