--- title: Enabling RADIUS authentication description: You can enable RADIUS authentication using the configuration files located in the /pingfederate/bin directory. The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_enabling_radius_auth canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_enabling_radius_auth.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps --- # Enabling RADIUS authentication You can enable RADIUS authentication using the configuration files located in the `/pingfederate/bin` directory. The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration. ## About this task PingFederate supports the protocol scenarios for one-step authentication, such as appending a one-time passcode obtained from an authenticator to the password, and two-step authentication, such as through a challenge-response process. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When RADIUS authentication is configured, PingFederate does not lock out administrative users based on the number of failed sign-on attempts. Instead, responsibility for preventing access is delegated to the RADIUS server and enforced according to its password lockout settings. | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the `pf.engine.bind.address` property in `run.properties`. Only IPv4 addresses are supported. | ## Steps 1. In the `/pingfederate/bin/run.properties` file, change the value of the `pf.console.authentication` property as shown. `pf.console.authentication=RADIUS` 2. In the `/pingfederate/bin/radius.properties` file, change property values as needed for your network configuration. For more information, see the comments in the file. The roles configured in the properties file apply to both the administrative console and the administrative API. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Be sure to assign RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the `use.ldap.roles` property to `true` and use the LDAP properties file, also in the `bin` directory, to map LDAP group-based permissions to PingFederate roles. | 3. Start or restart PingFederate.