---
title: Configuring PingFederate to use RADIUS authentication
description: You can enable RADIUS authentication in the PingFederate administrative console.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_config_pf_use_radius_auth
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_pf_use_radius_auth.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  example: Example:
  result: Result:
  related-links: Related links
---

# Configuring PingFederate to use RADIUS authentication

You can enable RADIUS authentication in the PingFederate administrative console.

## About this task

In this multi-factor console authentication use case, the PingFederate administrative console is a RADIUS client that calls the local RADIUS server bundled in the PingID Password Credential Validator (PCV) for the second factor authentication.

|   |                                                                                    |
| - | ---------------------------------------------------------------------------------- |
|   | For a clustered PingFederate environment, perform these steps on the console node. |

## Steps

1. Open the `<pf_install>/pingfederate/bin/run.properties` file in a text editor and set the `pf.console.authentication` property to `RADIUS`. `pf.console.authentication=RADIUS`

2. Obfuscate the **Client Shared Secret** value using a PingFederate command-line tool.

   ### Example:

   Windows: `<pf_install>\pingfederate\bin\obfuscate.bat clientSharedSecret`

   Linux: `<pf_install>/pingfederate/bin/obfuscate.sh clientSharedSecret`

   ### Result:

   The output should be a long line of text.

3. Copy the output for the next step.

4. Open the `<pf_install>/pingfederate/bin/radius.properties` file in a text editor and modify as follows.

   ```
   host=<host>
   shared.secret=obfuscatedClientSharedSecret
   timeout=10000
   ```

   |   |                                                                                                                                                                                                                                                                                                                                             |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | For a clustered PingFederate environment, the `host` value must be a runtime engine IP address or a hostname.The `timeout` value is the number of milliseconds to wait for the second authentication factor to complete before timing out the login attempt. In this use case, ten seconds, or `10000` ms, should be sufficient for PingID. |

   In addition, assign one or more RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the `radius.properties` file. Alternatively, you can set the `use.ldap.roles` property to `true` and use the LDAP properties file, `ldap.properties` in the same `bin` directory, to map LDAP group-based permissions to PingFederate roles.

5. Save your changes, and restart PingFederate.

## Related links

* [Administrative accounts](help_administrativeaccountstasklet_administrativeaccountsstate.html)