Enabling RADIUS authentication
You can enable RADIUS authentication using the configuration files located in the <pf_install>/pingfederate/bin
directory. The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration.
About this task
PingFederate supports the protocol scenarios for one-step authentication, such as appending a one-time passcode obtained from an authenticator to the password, and two-step authentication, such as through a challenge-response process.
When RADIUS authentication is configured, PingFederate does not lock out administrative users based on the number of failed sign-on attempts. Instead, responsibility for preventing access is delegated to the RADIUS server and enforced according to its password lockout settings. |
The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the |
Steps
-
In the
<pf_install>/pingfederate/bin/run.properties
file, change the value of thepf.console.authentication
property as shown.pf.console.authentication=RADIUS
-
In the
<pf_install>/pingfederate/bin/radius.properties
file, change property values as needed for your network configuration.For more information, see the comments in the file.
The roles configured in the properties file apply to both the administrative console and the administrative API.
Be sure to assign RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the
use.ldap.roles
property totrue
and use the LDAP properties file, also in thebin
directory, to map LDAP group-based permissions to PingFederate roles. -
Start or restart PingFederate.