The following diagram shows a general authentication flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.


Flowchart showing a typical authentication flow, as described in the topic text.
  1. A user opens their IPSec or SSL VPN sign on window and enters a user name and password.
  2. The VPN RADIUS client sends their details to the RADIUS Server on PingFederate.
  3. PingFederate authenticates the user’s credentials using the LDAP server as first-factor authentication.
  4. After LDAP authentication approval, the RADIUS server initiates a second authentication using PingID, and the user receives a push notification to the relevant device, such as the PingID mobile app or a YubiKey.
  5. The user approves the push notification or responds by entering a one-time passcode (OTP).
  6. The PingID cloud service verifies the response and sends it back to the RADIUS server.
  7. The RADIUS server returns a response to the VPN. If authentication is denied or an error occurs, the user receives an error message on their VPN window.

To configure PingID VPN integration, complete the following:

  1. Install the PingID Integration Kit in PingFederate.

    For more information, see Installing the PingID Integration Kit for PingFederate.

  2. Configure the RADIUS server settings in PingFederate.

    For more information, see Configuring a RADIUS server on PingFederate.

  3. Configure your VPN client settings.

    For more information, see one of the following sections: