FreeRADIUS and Okta LDAP Interface

[Brian Blater]

First time poster here, so bare with me.

I've been using MS NPS for our WiFi authentication against AD.
However, the company I work for is moving away from AD and going to
Okta for all our directory needs and SSO.

Okta supports RADIUS from a handful of proprietary systems. None of
which we have. We are using Unifi APs for our WiFi. As is typically
the case, I have ZERO budget for this. So, implementing an online
proprietary system at $X/user/month isn't possible, all though much
easier.

So, I spun up a new Ubuntu VM and installed FreeRADIUS. I've already
got the Okta LDAP Interface created and working. I've used it with
both Jamf and ldapsearch. That piece seems to be working at this time.
I have followed various instructions online and have FreeRADIUS up and
working using a test user in the local sql db.

Now the part of integrating it with Okta. I have searched all over for
information on configuring FreeRADIUS with Okta and I've found very
little. Okta does have a RADIUS agent for linux, but from my install
and attempt to configure that I've found it lacking many features.

Following what documentation I could find I have modified the ldap
file and linked it to /mods-enabled/ldap. In the ldap { section I've
modified the following:
server
identity
password
base_dn

I've also made the necessary changes in the user and group sections.
In the tls section I've changed start_tls = yes and specified the
ca_file.

Now I can't even get freeradius -X to start. I get the following when
running that:
/etc/freeradius/3.0/mods-enabled/ldap[8]: ldaps:// scheme is not
compatible with 'start_tls'
/etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module
"ldap"

If I change start_tls to no, I get the following:
TLS: can't connect: (unknown error code).
rlm_ldap (ldap): Bind with uid=<redacted>, dc=com to
ldaps://redacted.ldap.okta.com:636 failed: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/3.0/mods-enabled/ldap[8]: Instantiation failed for module
"ldap"

One thing to mention here is when doing an ldapsearch using the following:
ldapsearch -x -H ldaps://digitalturbine.ldap.okta.com -D
"uid=<redacted>,dc=com" -W -b dc=redacted,dc=okta,dc=com
uid=<username>
I get results.

This is of course using simple auth (-x), so I'm not having to use the
cert for this and Jamf appears to be doing simple auth as well. Which
appears to be the issue at this point.

How do I configure FreeRADIUS ldap to do simple auth in this case?
Must be something I'm missing in the ldap file, but can't put my
finger on it.

Once I get FR talking to the Okta LDAP instance I can move on to the
other pieces I need to figure out how to configure - auth based on
group membership, different sites etc.

Any suggestions?

Thanks, brian