PingFederate Server

Configuring the RADIUS Username Password Credential Validator

The RADIUS Username Password Credential Validator verifies credentials using the RADIUS protocol.

About this task

RADIUS supports strong authentication with both one-step (a combination of regular password and a one-time password in one field) and two-step (challenge-response) authentication. Two-step authentication is supported in the HTML Form Adapter.

If your RADIUS server is a Microsoft Network Policy Server (NPS), passwords containing special characters will not be encoded and decoded properly due to limitations with NPS.

RADIUS server messages are used by the HTML Form Adapter to determine the two-step authentication scenarios and to present a sign on window to the end users.

Steps

  1. On the Instance Configuration tab, configure one or more RADIUS servers.

    1. Click Add a new row to 'RADIUS Servers'.

    2. In each field, enter the required information.

      For more information about each field, refer to the following table. All fields are required.

      Field Description

      Hostname

      The IP address of the RADIUS server.

      For failover, enter one or more backup RADIUS servers by adding each server in its own row of the table. Each row represents a distinct RADIUS server that can be used for failover. PingFederate attempts to make a connection to each server in the order listed until a successful connection is obtained.

      Authentication Port

      The UDP port used to authenticate to the RADIUS server.

      The default value is 1812.

      Authentication Protocol

      The protocol used to authenticate to the RADIUS server.

      The available choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Select the protocol expected by your RADIUS server.

      The default selection is PAP.

      Shared Secret

      The password shared between PingFederate and the RADIUS server used to encrypt the attribute identifying the NAS (Network Access Server) originating the request for access.

      The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in the <pf_install>/pingfederate/bin/run.properties file. Only IPv4 addresses are supported.

    3. Click Update in the Action column.

    4. Repeat these steps to add more RADIUS servers as needed.

      Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

      Use the up and down arrows to adjust the order in which you want PingFederate to attempt credential authentication. If an earlier RADIUS server fails to validate the credentials, PingFederate moves sequentially through the list until credential validation succeeds. If none of the RADIUS servers is able to authenticate the user’s credentials, the credential validation process fails.

  2. Optional: Click Show Advanced Fields to reconfigure default settings.

    For more information about each field, refer to the following table. All fields are required.

    Field Description

    NAS Identifier

    The password shared between PingFederate and the RADIUS server used to encrypt the attribute identifying the NAS (Network Access Server) originating the request for access.

    The default value is PingFederate.

    Timeout

    The maximum number of milliseconds before a connection timeout to the RADIUS server.

    The default value is 3000.

    Retry Count

    The number of times to retry a failed connection before moving to the next host.

    The default value is 3.