---
title: Configuring RADIUS PCV for MS-CHAPv2
description: To use MS-CHAPv2 encryption with the RADIUS protocol, you need to enable PingID Password Credential Validator (PCV) to work with the relevant Network Policy Service (NPS). The PingID password credential validator (PCV) implements PingID as the second factor in the flow between the client and the network policy service (NPS).
component: pingid
page_id: pingid:pingid_integrations:pid_config_radiuspcv_for_mschapv2
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_config_radiuspcv_for_mschapv2.html
revdate: September 12, 2023
section_ids:
  before-you-begin-install-the-pingid-integration-kit: Before you begin Install the PingID Integration Kit.
  steps: Steps
  result: Result:
  result-2: Result:
  choose-from: Choose from:
---

# Configuring RADIUS PCV for MS-CHAPv2

To use MS-CHAPv2 encryption with the RADIUS protocol, you need to enable PingID Password Credential Validator (PCV) to work with the relevant Network Policy Service (NPS). The PingID password credential validator (PCV) implements PingID as the second factor in the flow between the client and the network policy service (NPS).

## Before you begin [Install the PingID Integration Kit](pid_installing_i_for_vpn.html).

|   |                                                                                                                                                   |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Use of PingID as the second factor between the RADIUS client and an NPS is only supported when using either MS-CHAPv2 or EAP-MSCHAPv2 encryption. |

## Steps

1. In PingFederate, go to **Password Credential Validators**.

   ### Result:

   A list of credential validator instances is displayed.

   ![A screen capture of the Manage Credential Validator Instances window.](_images/npw1658238502897.png)

2. Click **Create New Instance**.

   ### Result:

   The **Create Credential Validator Instance** window opens.

   ![Create Credential Validator Instance window](_images/fgf1656339423417.png)

3. In the**Instance Name** and **Instance ID** fields, enter a meaningful instance name and instance ID.

4. In the **Type** list, select **PingID PCV (with integrated RADIUS server)**. Click **Next**.

5. To specify an LDAP as the attribute source:

   1. [Configuring an LDAP connection](http://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/help_datasourcetasklet_ldapconfigstate.html).

   2. In the **Delegate PCV**field, click **Add a new row to Delegate PCVs**.

   3. In the **Delegate PCV** list, select **LDAP as attribute source**.

      ![Create Credential Validator Instance window showing the Client IP and Delegate PCV fields](_images/vuu1656341242703.png)

   4. In the **LDAP Data Source** field, select the LDAP connection that you configured.

   5. Configure either the **Search Base** and **Search Filter** fields, or the **Distinguished Name Pattern**field.

      ![Create Credential Validator Instance window showing relevant attributes](_images/qtf1656339573986.png)

6. To provide the necessary permissions for client to connect to the PingID RADIUS PCV, create an approved RADIUS client:

   1. In the **RADIUS Clients** section, click **Add a New Row to RADIUS Clients**.

   2. Enter the RADIUS client's IP address and shared secret. Optionally, you can add a label for each client to help distinguish between them when reviewing the list.

      |   |                                                                                                                                                                                                      |
      | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | Validation of the client IP shared secret is performed on the PCV side and the NPS side. Therefore you must make sure the shared secret on the client matches the shared secret on the endpoint NPS. |

   3. Click **Update**.

7. **Optional:** To define different authentication behavior per LDAP group, see [Configuring LDAP group behavior in RADIUS Server](pid_configuring_ldap_group_behavior_radius_server.html).

8. In the **If the User Is Not Activated on PingID** list, select one of the following options:

   ### Choose from:

   * **Always fail the login**: If the user does not have a PingID cloud service account, access is denied.

   * **Fail login unless in grace period**: If the user does not have a PingID cloud service account by the mandatory enrollment date, access is denied.

   * **Let the user in without PingID**: If the user is registered, authenticate with both LDAP and PingID MFA. If the user is not registered with PingID, authenticate with LDAP single-factor authentication only.

9. Select the **Enable RADIUS Remote Network Policy Server**check box.

   ![Create Credential Validator Instance window showing attributes related to Remote NPS](_images/stm1656341544538.png)

10. In the **RADIUS Network Policy Server IP** field, enter the relevant IP address for your NPS.

11. In the **RADIUS Network Policy Server Port** field, configure the dedicated authentication port number of the remote NPS.

    |   |                                                                                                                                                       |
    | - | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
    |   | Make sure the **RADIUS Server Authentication Port** number is unique and not used for any other PingID RADIUS PCV instance. The default port is 1812. |

12. To define the communication settings between RADIUS Server and the PingID cloud service:

    1. In the PingOne admin portal, go to **Setup → PingID → Client Integration**.

    2. In the **Integrate with PingFederate and Other Clients** section, click **Download** to save a copy of the `pingid.properties` file.

       For more information, see [Managing the PingID properties file](pid_managing_pid_properties_file.html).

    3. In a text editor, open the `pingid.properties` file, copy the file contents, and paste the contents into the **PingID Properties file** field in PingFederate.

13. **Optional:** Configure any additional RADIUS PCV parameters that you want to include.

    For a list of options, see [PingID RADIUS PCV parameters reference guide](pid_radius_pcv_parameters.html).

14. Click **Next** twice, and then click **Done**.

15. Click **Save**.

    |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
    | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
    |   | To perform a health-check on the RADIUS PCV server, use the heartbeat on /pf/heartbeat.ping. The PingID Radius PCV does not expose its own heartbeat endpoint. For more information, see [https://support.pingidentity.com/s/article/Enabling-heartbeat-in-PingFederate-7-3-and-above](https://docs.pingidentity.com/pingfederate/12.3/pingfederate_monitoring_guide/pf_liveliness_responsiveness.html)\[Enabling Heartbeat in PingFederate 7.3 and later]. |