--- title: Configuring LDAP group behavior in RADIUS Server description: You can use groups for a number of administrative purposes, for example: component: pingid page_id: pingid:pingid_integrations:pid_configuring_ldap_group_behavior_radius_server canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_ldap_group_behavior_radius_server.html revdate: January 27, 2024 section_ids: about-this-task: About this task steps: Steps --- # Configuring LDAP group behavior in RADIUS Server ## About this task You can use groups for a number of administrative purposes, for example: * Defining and restricting who can sign on to PingFederate. * Gradually introducing PingID multi-factor authentication (MFA) into your organization. * Creating user groups that are exempt from PingID MFA. ## Steps 1. Add an LDAP user group. | Option | Steps | | --------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Add an LDAP user group that will require members to authenticate using PingID MFA | 1. In the **LDAP Group Name** section, click **Add a new row to 'Member of Groups'**. 2. Enter the CN value of the relevant LDAP group name, and click **Update**. Do not enter the full DN. For example, if the full DN is DN=CN=Android Users,OU=PingGroups,DC=intheory,DC=com, enter only the CN value of Android Users.1. Repeat the previous steps for all relevant LDAP groups. If no groups are defined in the RADIUS Server, group configuration is disregarded during authentication, even if the Check Groups option is enabled. | | Add an LDAP group for users that you want to bypass MFA | 1) In the **LDAP Group Name for Bypass** section, click **Add a new row to 'Bypass Member of Groups'**. 2) Enter the relevant LDAP group name's CN, then click **Update**. 3) Repeat the previous steps for all relevant LDAP groups. Users included in a Bypass MFA LDAP group will not be prompted to authenticate using PingID, even if they are included in an LDAP group, or the company policy requires MFA. | 2. Configure the groups by enabling or disabling the following options: * **Check Groups** (cleared by default): If selected, MFA is only performed if the user is a member of one of the groups defined in the **Member of Groups** section. If cleared, group configuration is ignored during authentication. * **Check Bypass Groups** (cleared by default): If selected, MFA is bypassed if the user is a member of one of the defined groups in the **Member of Bypass Groups** section. If cleared, Bypass groups are ignored, and the user is required to authenticate. * **Fail Login if the User is Not Member of the LDAP Group:** If selected, users that are not LDAP group members cannot sign on. LDAP group members are always authenticated using PingID MFA. If cleared, only users that are members of a specified group are authenticated using PingID MFA. All other users are validated using LDAP authentication only.