In this multifactor console authentication use case, the PingFederate administrative console is a RADIUS client that calls the local RADIUS server bundled in the PingID™ Password Credential Validator (PCV) for the second factor authentication. Follow these steps to enable RADIUS authentication.

Note:

For a clustered PingFederate environment, perform these steps on the console node.

  1. Open the <pf_install>/pingfederate/bin/run.properties file in a text editor and set the pf.console.authentication property to RADIUS; for example:
    pf.console.authentication=RADIUS
  2. Obfuscate the Client Shared Secret value using a PingFederate command-line tool:

    <pf_install>\pingfederate\bin\obfuscate.bat clientSharedSecret on Windows

    <pf_install>/pingfederate/bin/obfuscate.sh clientSharedSecret on Linux

    The output should be a long line of text. Copy the output for the next step.

  3. Open the <pf_install>/pingfederate/bin/radius.properties file in a text editor and modify as follows:
    host=localhost
    shared.secret=obfuscatedClientSharedSecret
    timeout=10000
    Tip:

    The timeout value is the number of milliseconds to wait for the second authentication factor to complete before timing out the login attempt. In this use case, ten seconds (10000 ms) should be sufficient for PingID.

    In addition, assign one or more RADIUS users or designated RADIUS groups, or both, to at least one of the PingFederate administrative roles as indicated in the radius.properties file. Alternatively, you can set the use.ldap.roles property to true and use the LDAP properties file (ldap.properties in the same bin directory) to map LDAP group-based permissions to PingFederate roles.

  4. Save your changes, and then restart PingFederate.