--- title: Configuring the RADIUS Username Password Credential Validator description: The RADIUS Username Password Credential Validator verifies credentials using the RADIUS protocol. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_configure_radius_username_pcv canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_configure_radius_username_pcv.html revdate: February 6, 2023 section_ids: about-this-task: About this task steps: Steps --- # Configuring the RADIUS Username Password Credential Validator The RADIUS Username Password Credential Validator verifies credentials using the RADIUS protocol. ## About this task RADIUS supports strong authentication with both one-step (a combination of regular password and a one-time password in one field) and two-step (challenge-response) authentication. Two-step authentication is supported in the HTML Form Adapter. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If your RADIUS server is a Microsoft Network Policy Server (NPS), passwords containing special characters will not be encoded and decoded properly due to limitations with NPS. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | RADIUS server messages are used by the HTML Form Adapter to determine the two-step authentication scenarios and to present a sign on window to the end users. | ## Steps 1. On the **Instance Configuration** tab, configure one or more RADIUS servers. 1. Click **Add a new row to 'RADIUS Servers'**. 2. In each field, enter the required information. For more information about each field, refer to the following table. All fields are required. | Field | Description | | --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Hostname** | The IP address of the RADIUS server.For failover, enter one or more backup RADIUS servers by adding each server in its own row of the table. Each row represents a distinct RADIUS server that can be used for failover. PingFederate attempts to make a connection to each server in the order listed until a successful connection is obtained. | | **Authentication Port** | The UDP port used to authenticate to the RADIUS server.The default value is `1812`. | | **Authentication Protocol** | The protocol used to authenticate to the RADIUS server.The available choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Select the protocol expected by your RADIUS server.The default selection is **PAP**. | | **Shared Secret** | The password shared between PingFederate and the RADIUS server used to encrypt the attribute identifying the NAS (Network Access Server) originating the request for access. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the `pf.engine.bind.address` property in the `/pingfederate/bin/run.properties` file. Only IPv4 addresses are supported. | 3. Click **Update** in the **Action** column. 4. Repeat these steps to add more RADIUS servers as needed. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Click **Edit**, **Update**, or **Cancel** to make or undo a change to an existing entry. Click **Delete** or **Undelete** to remove an existing entry or cancel the removal request.Use the up and down arrows to adjust the order in which you want PingFederate to attempt credential authentication. If an earlier RADIUS server fails to validate the credentials, PingFederate moves sequentially through the list until credential validation succeeds. If none of the RADIUS servers is able to authenticate the user's credentials, the credential validation process fails. | 2. (Optional) Click **Show Advanced Fields** to reconfigure default settings. For more information about each field, refer to the following table. All fields are required. | Field | Description | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **NAS Identifier** | The password shared between PingFederate and the RADIUS server used to encrypt the attribute identifying the NAS (Network Access Server) originating the request for access.The default value is `PingFederate`. | | **Timeout** | The maximum number of milliseconds before a connection timeout to the RADIUS server.The default value is `3000`. | | **Retry Count** | The number of times to retry a failed connection before moving to the next host.The default value is `3`. |