PingFederate Server

Enabling RADIUS authentication

You can enable RADIUS authentication using the configuration files located in the <pf_install>/pingfederate/bin directory. The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration.

About this task

PingFederate supports the protocol scenarios for one-step authentication, such as appending a one-time passcode obtained from an authenticator to the password, and two-step authentication, such as through a challenge-response process.

When RADIUS authentication is configured, PingFederate does not lock out administrative users based on the number of failed sign-on attempts. Instead, responsibility for preventing access is delegated to the RADIUS server and enforced according to its password lockout settings.

The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in run.properties. Only IPv4 addresses are supported.

Steps

  1. In the <pf_install>/pingfederate/bin/run.properties file, change the value of the pf.console.authentication property as shown. pf.console.authentication=RADIUS

  2. In the <pf_install>/pingfederate/bin/radius.properties file, change property values as needed for your network configuration.

    For more information, see the comments in the file.

    The roles configured in the properties file apply to both the administrative console and the administrative API.

    Be sure to assign RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the use.ldap.roles property to true and use the LDAP properties file, also in the bin directory, to map LDAP group-based permissions to PingFederate roles.

  3. Start or restart PingFederate.