Knowledge Base
All KB
Documents DT Documents
Articles & FAQs AR Articles
Trouble Reports TR Trouble Reports
Software Updates SU Software Updates
Searching in : Article
ID: AR06S01134
Applies to: NoMachine Technology
Added on: 2021-06-21
Last Update: 2025-06-04

How to use Okta MFA with NoMachine on Linux

This set-up has a pre-requisite to install and set-up Okta RADIUS Server Agent and the pam_radius_auth module on the Linux host machine. NoMachine server is installed on the same host.

Okta will require Radius Application configured with Okta Radius Server Agent and properly assigned groups/users as well as deployed  MFA assigned to those users.

 

NoMachine connections by NX protocol and SSH protocol both via client and via web can work with Okta MFA, but they require some specific configurations in /etc/pam.d/nx (for connections by NX protocol) and in the system SSHD configuration (for connections by SSH protocol).

Note that this procedure is not intended to provide instructions in detail about how to configure the Okta environment, but it's tailored to provide general guidelines about steps necessary to integrate NoMachine with an already up-and-running Okta MFA setup.

Instructions

Step 1 - On Linux install Okta RADIUS Server Agent as described here:
https://help.okta.com/en/prod/Content/Topics/integrations/Agent_Installing_the_Okta_Radius_Agent-linux.htm

Step 2 -  Create Radius Application in Okta and assign desired users or group of users to it. Okta Primary Authentication Should be Enabled.   

Note that in Radius Application -> "Assignements" tab, user should be assigned to a local account on Linux
e.g. 'oktamfatest' (Okta Username) should be assigned to 'user12345' (Local Linux Username)

Step 3 - Activate Okta Verify on the user's device
https://help.okta.com/en/prod/end-user/Content/Topics/end-user/ov-overview.htm


Step 4 - Enable Okta Verify MFA and set enrollment policy for users or groups selected in application creation as described here:
https://help.okta.com/en/prod/Content/Topics/Security/mfa/about-mfa.htm

Step 5 -  Install the pam_radius_auth module on the Linux host.

Step 6 - Edit /etc/pam_radius_auth.conf and adjust 'shared_secret' and 'timeout' according to your preferences
e.g.

# server[:port] shared_secret      timeout (s)
127.0.0.1:1819  NoMachine.1        30

Step 7 - To use Okta MFA when connecting by NoMachine and NX protocol, edit /etc/pam.d/nx and add following line, above line 'auth       include       su':

auth required pam_radius_auth.so

If users connect by NoMachine and SSH protocol, ensure to configure SSHD for using the pam_radius_auth module.

Step 8 - Connect by NoMachine, either with the client or by the web. Provide the local account name as username and the Okta password to login.


Troubleshooting
If users are still unable to authenticate when using the NX protocol, but can authenticate when using the SSH protocol, try to use the same SSH PAM configuration also in case of NX protocol:
cp /etc/pam.d/nx       /etc/pam.d/nx.ori
cp /etc/pam.d/sshd   /etc/pam.d/nx