If you follow the official documentation to integrate OpenVPN Access Server via Okta LDAP you may run into one or two roadbumps if you turn on MFA.
Official doc from OpenVPN: https://openvpn.net/vpn-server-resources/integrate-okta-with-openvpn-access-server-via-ldap/
Please note: Configuring OpenVPN with Okta RADIUS is in my opinion the better option as it gives the end user a way better UX in regards dealing with MFA. Just watch the following 1-minute video:
If you want to use LDAP nevertheless, read on:
Exclude the bind user from MFA policies
Error message:
Resolution: If you are prompting all users for MFA through the Global Session Policy – exclude the bind user from that policy. Go to Security -> Global Session Policy -> Default Policy and create a new rule to prompt for MFA (the default policy should not require MFA in this case). In the new policy exclude the bind user as shown in the screenshot.
extend LDAP server timeout
As the default timeout is 4 seconds only, this is quite short to react to MFA prompts – if you use push. You can extend the timeout via the command line:
more information can be found here: https://openvpn.net/vpn-server-resources/authentication-options-and-command-line-configuration/
Documentation on how you use MFA with Okta LDAP can be found here: https://help.okta.com/en-us/Content/Topics/Directory/LDAP-interface-MFA.htm
TL;DR: Append the OTP code with a comma to the password e. g. password,123456 or append ,push if you want to use Okta Verify Push. Push is used as a fallback if you just enter the password and the user is enrolled in push.
I hope that helps, below a screenshot from a working config:
