PingOne

RADIUS gateways

The PingOne Remote Authentication Dial-In User Service (RADIUS) Gateway is a lightweight RADIUS server that acts as a bridge between an on-premise VPN or remote access system and PingOne.

You can use a RADIUS gateway to orchestrate user authentication flows by leveraging the PingOne DaVinci orchestration engine. After you have configured a RADIUS gateway, users must follow a series of steps, as defined in your DaVinci flow, to gain access to your VPN. You can customize the DaVinci flow to include steps, such as user credential validation and multi-factor authentication (MFA).

The RADIUS gateway currently supports the PAP and the MS-CHAP v2 protocol. It is also possible to incorporate your Network Protocol Server (NPS) into a flow, if required. If an NPS is incorporated into the flow, after authenticating successfully, the NPS attributes are extracted from the authentication response and sent to the RADIUS client.

The following diagrams provide examples of a general RADIUS gateway authentication flow for each protocol using PingID mobile app to authenticate. The actual configuration varies depending on your organizational infrastructure considerations and policies.

ExampleExample of a RADIUS gateway flow using the PAP protocol without NPS

RADIUS Gateway using the PAP protocol

  1. A user opens a VPN sign-on window and enters their username and password.

  2. The VPN client sends their details to the RADIUS server running in the RADIUS gateway.

  3. The RADIUS gateway initiates a DaVinci flow policy.

  4. The DaVinci flow executes the following steps:

    1. DaVinci invokes the PingOne connector step to initiate credential validation.

    2. The user credentials are validated against a directory (in this example, PingOne Directory).

    3. DaVinci invokes the PingID connector step and the PingID server initiates a second-factor authentication. The user receives a push notification to the relevant device.

    4. The user approves the push notification.

  5. The DaVinci flow is finalized and a response is sent back to the RADIUS gateway.

  6. The RADIUS gateway returns a response to the VPN.

  7. The VPN forwards the response, granting or denying access to the user.

ExampleExample of the RADIUS gateway using NPS

RADIUS Gateway using advanced protocols such as MS-CHAP v2

This flow can be used with Advanced protocols (such as MS-CHAP v2), or PAP.

  1. A user opens a VPN sign-on window and enters their username and password.

  2. The VPN client sends their details to the RADIUS server running in the RADIUS gateway.

  3. The RADIUS gateway forwards the details to the NPS.

  4. The NPS validates the user credentials against its directory.

  5. The NPS returns the response to the RADIUS gateway.

  6. If the credentials are correct, the RADIUS gateway initiates a DaVinci flow policy.

  7. The DaVinci flow executes the following steps:

    1. DaVinci invokes the PingID connector step and the PingID server initiates a second factor authentication. The user receives a push notification to the relevant device.

    2. The user approves the push notification.

  8. The DaVinci flow is finalized and a response is sent back to the RADIUS gateway.

  9. The RADIUS gateway returns a response to the VPN.

  10. The VPN forwards the response, granting or denying access to the user.