PingID RADIUS PCV parameters reference guide
The following tables detail the PingID RADIUS password credential validator (PCV) configuration parameters available in PingFederate.
General Parameters
Parameter | Description | ||||
---|---|---|---|---|---|
RADIUS Clients |
|||||
Client IP |
For the RADIUS Client IP address, use the IP address of the VPN server/remote access system. |
||||
Client Shared Secret |
The RADIUS client shared secret. The shared secret is shared with the VPN. |
||||
Label |
Optional: Add a label to a specific client. |
||||
Delegate PCVs |
|||||
Delegate PCV |
The instance name of the “LDAP PCV with Extended Attributes” PCV. If PingID RADIUS PCV is only required to receive user attributes from an LDAP data source, select LDAP as Attribute Source. This field should be left blank if:
If RADIUS Remote Network Policy Server mode is enabled, either LDAP as Attribute Source must be selected, or the field should be left blank. |
||||
Member Of Groups |
Enter one or more pairs of LDAP group attribute and LDAP group name. Users in the groups defined here can be authenticated using PingID MFA. The default value for the LDAP group attribute is memberOf.
|
||||
LDAP Group Name for Bypass |
Enter one or more LDAP group names. Users in the groups defined here will not be authenticated using PingID MFA. |
||||
RADIUS Vendor-Specific Attributes |
If you want to have vendor-specific attributes sent during authentication, add them to the RADIUS Vendor-Specific attributes section, and then refer to them when you complete the Multiple attributes mapping rules section. To add a vendor-specific attribute:
|
||||
Multiple Attributes Mapping Rules |
Permits mapping definitions for LDAP attributes to return all values of the attribute to the RADIUS client or PingID, depending on the Destination Selection. LDAP attributes may contain more than one value (for example, a user may be a member of more than one group), in which case the values are separated by the semicolon (;) character.
Click Add a new row to 'Multiple attributes mapping rules', and enter the following fields for each rule:
PingID destination attributes (when the value of Destination Selection is
|
||||
User Specific Groups to RADIUS Client |
Permits mapping specific LDAP user groups in order to send their values to the RADIUS client. For each group listed in the table:
Click Add a new row to 'User Specific Groups to RADIUS Client', and enter the following fields:
|
||||
Check Groups |
Select this option to initiate PingID authentication only after users are confirmed as members of a group defined in Member of Groups. When selected, the RADIUS PCV filters groups according to the following configuration fields:
|
||||
Check Bypass Groups |
Select this option to bypass PingID authentication only after users are confirmed as a member of at least one of the groups defined in the 'Member Of Bypass Groups' section. |
||||
If the User is not Activated on PingID |
Defines how authentication requests are handled if a user is not registered in the PingID cloud service, or if the user’s mobile device is unpaired. Select either:
|
||||
Fail Login on PingID Technical Error |
If selected, authentication requests fail if the PingID cloud service is unavailable. When it is not selected, the PingID MFA process is bypassed. This option is enabled by default.
|
||||
Fail Login if the User is not member of the LDAP Group |
Select or clear the checkbox.
If no groups are listed in Member of Groups, this field is ignored and authentication requests are performed using both LDAP and PingID authentication. |
||||
Enable RADIUS remote network policy server |
Enable the RADIUS PCV to work through a Remote Network Policy Server to support MS-CHAPv2 protocols. |
||||
RADIUS Network Policy Server IP |
The source IP address of the RADIUS endpoint Network Policy Server (NPS) used to validate user credentials. |
||||
RADIUS Network Policy Server Port |
The port number for the RADIUS endpoint Network Policy Server (NPS) used to validate user credentials. |
||||
RADIUS Server Authentication Port |
The port number assigned to the PingID PCV RADIUS server. The RADIUS server listens for requests from RADIUS clients on this port. The default value is
|
||||
Domain Postfix |
A domain name postfix (including ‘@’) that can be appended to the username standardize the PingID usernames throughout the various PingID services (e.g., SSO). This field is left blank by default. |
||||
PingID Properties File |
The PingID properties file configures the trusted connection between the RADIUS PCV and the relevant tenant in the PingID service. From the PingID configuration window, download the PingID properties file and then upload it to the PingID RADIUS PCV instance in PingFederate. For information see Configuring a RADIUS server on PingFederate
|
||||
Authentication During Errors |
Determines how to handle user authentication requests when PingID services are unavailable.
|
||||
Users Without a Paired Device |
When PingID services are unavailable, you can choose to bypass or block users who have no paired mobile device (pf-pingid-local-fallback attribute in user’s device list in the user directory).
A user’s individual block or bypass State attribute in the user directory will override the USERS WITHOUT A PAIRED DEVICE definition.
|
||||
LDAP Data Source |
The directory data source used to retrieve additional user attributes for offline MFA. This is the data store in which the users device list (pf-pingid-local-fallback attribute) is stored. If RADIUS Remote Network Policy Server mode is enabled, or if Delegate PCV is defined as LDAP As Attribute Source, all user attributes are retrieved from this directory data source. |
||||
Create Entry for Devices |
Create the device list entry in the data source if it does not exist. This is the configuration setting for how and when PingFederate will create PingID device entries of type pf-pingid-device.
|
||||
Encryption Key for Devices |
This field contains the base64url encoded HMAC256 encryption key to encrypt the users devices list before saving to the user directory. This field is optional. If this field is empty, the devices lists will be kept unencrypted and will be stored as plain text.
|
||||
Search Base |
The location in the directory from which the LDAP search begins. To be used when the offline authentication attributes are stored on the user entry in the main user LDAP.
If RADIUS Remote Network Policy Server mode is enabled, or if theDelegate PCV is defined as theLDAP as attribute source, all user attributes are retrieved from this location in data source. |
||||
Search Filter |
The basis of what to filter, when the device list is stored on the user’s object in the user directory. The Search Filter parameter value must be identical to the Search Base field in the relevant Password Validator Instance Configuration. You may use
If RADIUS Remote Network Policy Server mode is enabled, or if Delegate PCV is defined as the LDAPAs Attribute Source, all user attributes are retrieved with help of this filter. |
||||
Scope of Search |
The options for determining the width and depth of the search, when the device list is stored on the user’s object in the user directory:
|
||||
Distinguished Name Pattern |
The pattern used to save device entries. It points to the location in the directory in which the pf-pingid-device objects reside.
If RADIUS Remote Network Policy Server mode is enabled, or if Delegate PCV is defined as LDAP As Attribute Source, all user attributes are retrieved with the help of this pattern. |
||||
State Attribute |
The STATE ATTRIBUTE is used to override how a specific user is authenticated during offline authentication. The value of this field is the name of the attribute configured in the directory. If the PingID services are unreachable, the value of STATE ATTRIBUTE is evaluated:
|
Advanced Parameters
Parameter | Description | ||
---|---|---|---|
Server Threads |
Enter a number to specify a fixed number of threads that can use a shared unbounded queue to service RADIUS requests. If no value is specified, new threads are created as required, and previously constructed threads are reused when available.
|
||
Enable RADIUS Server |
Select the checkbox to enable the integrated RADIUS Server. This option is enabled by default. |
||
Default Shared Secret |
Specify the default RADIUS shared secret. If specified, the RADIUS shared secret is used for any client that is not found in the RADIUS client configuration. |
||
PingID Service ID |
This setting should not be modified. The default value is |
||
Application Name |
Label to show on the PingID app’s authentication screen instead of the default text ("vpn"). |
||
Application Icon |
Icon to show on the PingID app’s authentication screen instead of the default icon. The format of the graphic must be JPEG or PNG, and the graphic must be 100px x 100px or less, and 150 kB or less. The value of the parameter should be a valid URL that begins with https. |
||
State Encryption Key |
The base64 URL-encoded 256-bit key used to protect the integrity of the RADIUS state attribute. The RADIUS #24 State attribute is auto-generated by the PingID PCV and should not be modified. This parameter is unrelated to the State Attribute parameter in the previous table. |
||
State Lifetime |
The amount of time that the RADIUS server waits for a response before timeout (in seconds). The default value is |
||
Radius Client Doesn’t Support Challenge |
The RADIUS client doesn’t support the access-challenge message in the RADIUS protocol. This mode also supports RADIUS clients which send the user collected OTP to the RADIUS server using the password field, for example Amazon Workspaces. Supported authentication methods for this mode: Mobile App (Swipe, Biometrics, OTP), Desktop App, OATH tokens, Authenticator app and YubiKey. Not supported: SMS, Voice and Email. User experience:
|
||
OTP in Password Separator |
If the Radius Client Doesn’t Support Challenge is activated, and OTP fallback is enabled:
|
||
Radius Client Password Validation |
When the RADIUS client validates the user password, the RADIUS PCV will not get the password at all, and as a result, will not validate it. If the RADIUS client does not support the RADIUS challenge, the user’s OTP might be in the password field. |
||
Direct OTP Validation |
Perform OTP validation for RADIUS clients that do not support access-challenge and do not have a Delegate PCV configured. |
||
PingID Username Attribute |
The name of the attribute from the delegate PCV’s attribute contract that will be used as the PingID username for the RADIUS originated authentication. |
||
PingID Heartbeat Timeout |
The duration of time in seconds that the adapter will wait for the heartbeat calls to the PingID service, before falling back to the AUTHENTICATING DURING ERRORS feature. If left empty, the default is 30 seconds. |
||
Newline Character |
Select the line separation character that you want to use for RADIUS server challenge messages. Choose from:
|