PingID Administration Guide

Configuring a RADIUS server on PingFederate

For your VPN to perform multi-factor authentication (MFA) using the PingID cloud service, you must create and configure a RADIUS server password credential validator (PCV) on PingFederate.

Before you begin

If the following conditions exist in your configuration, configure the relevant additional parameters:

  • RADIUS clients that:

    • Handle first-factor authentication (and therefore does not send passwords to the RADIUS server),

    • and do not support RADIUS challenges

do not configure any delegate PCVs, and make sure to configure the following fields:

  • RADIUS Client Password Validation : set this field to enabled.

  • Direct OTP validation: For RADIUS clients running 3.0.4 or later, set this field to enabled.

  • OTP in Password Separator :For RADIUS clients running 3.0.3 and earlier only, set this field to Comma

    • RADIUS clients that do not support RADIUS challenges: set the RADIUS Client Doesn’t Support Challenge field to enabled.

Steps

  1. Open the PingFederate administrative console.

  2. Click System → Password Credential Validators.

    A screen capture of the Server Configuration window in the PingFederate administrative console.

    Result:

    A list of credential validator instances is displayed.

    A screen capture of the Manage Credential Validator Instances window.
  3. In theInstance Name column, click ldapPCV.

    Result:

    The Create Credential Validator Instance window opens.

  4. Add the LDAP attributes that you want PingID to map and send to the PingID server.

    1. In the Extend the Contract field, enter an LDAP attribute, and then click Add. Repeat this step to add multiple attributes.

      Some steps in RADIUS PCV configuration require use of LDAP user groups. To enable use of LDAP user groups, add the memberOf attribute to the LDAP Extended Contract mapping.

    A screen capture of LDAP attributes added to the contract.
    1. Click Done, and then click Save.

      Result:

      The Manage Credential Validator Instances window opens.

    2. Repeat this step for each LDAP PCV instance that you want to connect to the RADIUS server as a delegate PCV.

  5. To create the RADIUS server instance, click Create New Instance.

    A screen capture of the Create Credential Validator Instance window in the PingFederate administrative console.
  6. In the Instance Name and Instance ID fields, enter a meaningful instance name and instance ID.

  7. From the Type list, select PingID PCV (with integrated RADIUS server).

  8. Click Next.

    A screen capture of the Instance Configuration tab in the PingFederate administrative console.
  9. To provide the necessary permissions for client to connect to the RADIUS server, create an approved RADIUS client:

    1. In the RADIUS Clients section, click Add a New Row to RADIUS Clients.

      The IP address of the VPN server/remote access system is required here.

    2. Enter the RADIUS client’s IP address and its shared secret. Optionally, you can add a label for each client to help distinguish between them when reviewing the list. Click Update.

  10. Repeat the procedure from step 3 for all additional RADIUS clients that you want to add.

  11. To add a Delegate PCV for the initial user authentication:

    1. Click Add a New Row to Delegate PCV.

    2. From the Delegate PCV list, select the LDAP PCV that you created when you set up PingFederate, and then click Update.

      If you do not add a Delegate PCV, the RADIUS server assumes first-factor authentication has been performed by an external service. The RADIUS server will not authenticate against the LDAP directory and only PingID MFA will be used.

  12. Optional: To define different authentication behavior per LDAP group, see Configuring LDAP group behavior in RADIUS Server.

  13. In the If the User Is Not Activated on PingID list, select one of the following options:

    Choose from:

    • Register the user: If the user does not have a PingID cloud service account, initiate "on the fly registration" using the Challenge Page on the VPN clientless SSL. This is the default setting.

      The Mandatory Enrollment Date set in the PingID admin web portal determines when it is mandatory for the user to register. Before this date, “on the fly registration” is optional. To allow users to self-register, click Enable for Self-Enrollment During Authentication.

      A screen capture of the PingID admin web portal Enrollment page with a date entered in the Mandatory Enrollment Date field and Self-Enrollment During Authentication set to Enable.
    • Always fail the login: If the user does not have a PingID cloud service account, access is denied.

    • Fail login unless in grace period: If the user does not have a PingID cloud service account by the mandatory enrollment date, access is denied.

    • Let the user in without PingID: If the user is registered, authenticate with both LDAP and PingID MFA. If the user is not registered with PingID, authenticate with LDAP single-factor authentication only.

  14. In the RADIUS Server Authentication Port field, enter the port number. The default port is 1812.

    The port number must match the port number you define on the VPN client.

  15. To define the communication settings between RADIUS server and the PingID cloud service:

    1. In the PingOne for Enterprise admin portal, go to Setup → PingID → Client Integration.

    2. In the Integrate with PingFederate and Other Clients section, click Download to save a copy of the pingid.properties file. For more information, see Managing the PingID properties file.

    3. On the Password Credentials Validators tab, in the PingID Properties field, click Choose File and navigate to the PingID properties file you downloaded earlier. For more information, see Managing the PingID properties file.

    A screen capture of the Instance Configuration tab in the PingID administrative console shoowing the PingIDproperties file field and Choose File upload button.
  16. Optional: Configure any additional RADIUS PCV parameters that you want to include. For a list of options, see PingID RADIUS PCV parameters reference guide.

  17. Click Next twice, and then click Done.

  18. Click Save.

    To perform a health-check on the RADIUS PCV server, use the heartbeat on /pf/heartbeat.ping. The PingID RadiusPCV does not expose its own heartbeat endpoint. For more information, see Enabling Heartbeat in PingFederate 7.3 and later.

PingFederate

You can download the PingID for PingFederate properties file for use when integrating PingID with PingFederate.

About this task

The Integrate with PingFederate Bridge properties file provides full permission to perform enrollment, device management, and authentication actions. You can rotate or revoke generated properties files with minimal downtime.

For Window login, Mac login, and SSH integrations, you should download the version of the properties file that restricts user permissions to authentication only. For more information, see the relevant tabs on this page.

The PingID properties file contains sensitive information including the secret encryption key. It should only be handled by administrators and should not be distributed more than is necessary.

To ensure minimal downtime when rotating a PingID properties file (key rotation), first generate the PingID properties file and link it to the relevant client, and then revoke the old properties file.

Steps

  1. In the PingOne admin portal, go to Setup → PingID → Client Integration.

    Screen capture of the PingID Client Integration window showing how to download the properties file

    Result:

    The Integrate with PingFederate and Other Clients section is displayed, listing any PingID properties files that are already defined.

  2. To generate a new PingID properties file, click Generate, and then click Save.

    You can have a maximum of five active PingID properties files. If you have five active files and want to generate a new one, you must first revoke one of your existing files.

    Result:

    A new entry is added to the properties file list, showing the new PingID properties file.

  3. In the relevant row, click Download, and then save the file to the desired location with a meaningful name.

  4. To revoke an old PingID properties file:

    1. Download and open the PingID properties file you want to revoke, and ensure the token matches the token listed in the web portal.

    2. In the relevant row of the properties file list, click Revoke, and then click Save.

      Result:

      The selected file is removed from the PingID server and can no longer be used for authentication.

Configuring LDAP group behavior in RADIUS Server

About this task

You can use groups for a number of administrative purposes, for example:

  • Defining and restricting who can sign on to PingFederate.

  • Gradually introducing PingID multi-factor authentication (MFA) into your organization.

  • Creating user groups that are exempt from PingID MFA.

Steps

  1. Add an LDAP user group.

    Option Steps

    Add an LDAP user group that will require members to authenticate using PingID MFA

    1. In the LDAP Group Name section, click Add a new row to ‘Member of Groups’.

    2. Enter the CN value of the relevant LDAP group name, and click Update.

    Do not enter the full DN. For example, if the full DN is DN=CN=Android Users,OU=PingGroups,DC=intheory,DC=com, enter only the CN value of Android Users.

    1. Repeat the previous steps for all relevant LDAP groups.

      If no groups are defined in the RADIUS Server, group configuration is disregarded during authentication, even if the Check Groups option is enabled.

    Add an LDAP group for users that you want to bypass MFA

    1. In the LDAP Group Name for Bypass section, click Add a new row to ‘Bypass Member of Groups’.

    2. Enter the relevant LDAP group name’s CN, then click Update.

    3. Repeat the previous steps for all relevant LDAP groups.

    Users included in a Bypass MFA LDAP group will not be prompted to authenticate using PingID, even if they are included in an LDAP group, or the company policy requires MFA.

  2. Configure the groups by enabling or disabling the following options:

    • Check Groups (cleared by default): If selected, MFA is only performed if the user is a member of one of the groups defined in the Member of Groups section. If cleared, group configuration is ignored during authentication.

    • Check Bypass Groups (cleared by default): If selected, MFA is bypassed if the user is a member of one of the defined groups in the Member of Bypass Groups section. If cleared, Bypass groups are ignored, and the user is required to authenticate.

    • Fail Login if the User is Not Member of the LDAP Group: If selected, users that are not LDAP group members cannot sign on. LDAP group members are always authenticated using PingID MFA. If cleared, only users that are members of a specified group are authenticated using PingID MFA. All other users are validated using LDAP authentication only.