Configuring PingFederate to use RADIUS authentication
You can enable RADIUS authentication in the PingFederate administrative console.
About this task
In this multi-factor console authentication use case, the PingFederate administrative console is a RADIUS client that calls the local RADIUS server bundled in the PingID Password Credential Validator (PCV) for the second factor authentication.
For a clustered PingFederate environment, perform these steps on the console node. |
Steps
-
Open the
<pf_install>/pingfederate/bin/run.properties
file in a text editor and set thepf.console.authentication
property toRADIUS
.pf.console.authentication=RADIUS
-
Obfuscate the Client Shared Secret value using a PingFederate command-line tool.
Example:
Windows:
<pf_install>\pingfederate\bin\obfuscate.bat clientSharedSecret
Linux:
<pf_install>/pingfederate/bin/obfuscate.sh clientSharedSecret
Result:
The output should be a long line of text.
-
Copy the output for the next step.
-
Open the
<pf_install>/pingfederate/bin/radius.properties
file in a text editor and modify as follows.host=<host> shared.secret=obfuscatedClientSharedSecret timeout=10000
For a clustered PingFederate environment, the
host
value must be a runtime engine IP address or a hostname.The
timeout
value is the number of milliseconds to wait for the second authentication factor to complete before timing out the login attempt. In this use case, ten seconds, or10000
ms, should be sufficient for PingID.In addition, assign one or more RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the
radius.properties
file. Alternatively, you can set theuse.ldap.roles
property totrue
and use the LDAP properties file,ldap.properties
in the samebin
directory, to map LDAP group-based permissions to PingFederate roles. -
Save your changes, and restart PingFederate.