--- title: Enabling RADIUS authentication description: The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration. component: pingfederate version: 13.1 page_id: pingfederate:developers_reference_guide:pf_enable_radius_authen canonical_url: https://docs.pingidentity.com/pingfederate/13.1/developers_reference_guide/pf_enable_radius_authen.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: November 24, 2022 section_ids: about-this-task: About this task steps: Steps --- # Enabling RADIUS authentication The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration. ## About this task The RADIUS authentication setup is available through configuration files in the `/pingfederate/bin` directory. The administrative API supports the protocol scenario for one-step authentication, for example, appending a one time password (OTP) after the password. When RADIUS authentication is protecting the administrative API, the API calls must be authenticated by valid credentials over HTTP Basic authentication. Otherwise, the administrative API returns an error message. The roles assigned to the accounts affect the results of the API calls. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When you configure RADIUS authentication, PingFederate does not lock out accounts based upon the number of failed logon attempts. Instead, responsibility for preventing access is delegated to the RADIUS server and enforced according to its password lockout settings. | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the `pf.engine.bind.address` property in `run.properties`. Only IPv4 addresses are supported. | ## Steps 1. In the `/pingfederate/bin/run.properties` file, set the value of the `pf.admin.api.authentication` property to `RADIUS`. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can configure PingFederate to support both `RADIUS` authentication and OAuth 2.0 authorization by specifying two values separated with a comma. For example, specify `pf.admin.api.authentication=OAuth2,RADIUS`. Supporting two authentication methods is helpful when you want to change applications from one method to another. For more information about supporting two authentication methods, see the description of `pf.admin.api.authentication` in [Configuring PingFederate properties](../administrators_reference_guide/pf_config_pf_propert.html). | 2. In the `/pingfederate/bin/radius.properties` file, change property values as needed for your network configuration. For instructions and additional information, see the comments in the file. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Assign RADIUS users or designated RADIUS groups, or both, to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the `use.ldap.roles` property to `true` and use the LDAP properties file, which is also in the `bin` directory, to map LDAP group-based permissions to PingFederate roles. For more information about permissions attached to the PingFederate roles, see the PingFederate User Access Control table in [Configure access to the administrative API](pf_config_access_to_admin_api.html). | | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------- | | | When assigning roles, remember that all accounts specified in `radius.properties` can access the administrative API and the administrative console. | 3. Restart PingFederate. | | | | - | ------------------------------------------------------------------------------------------------------------------------------ | | | In a clustered PingFederate environment, you only need to modify `run.properties` and `radius.properties` on the console node. |