The RADIUS authentication setup is available via configuration files in the <pf_install>/pingfederate/bin directory. The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration. The administrative API supports the protocol scenario for one-step authentication (for example, appending an OTP after the password).

When the administrative API is protected by RADIUS authentication, the API calls must be authenticated by valid credentials over HTTP Basic authentication; otherwise, the administrative API returns an error message. The roles assigned to the accounts affect the results of the API calls.

When RADIUS authentication is configured, PingFederate does not lock out accounts based upon the number of failed logon attempts. Responsibility for preventing access is instead delegated to the RADIUS server and enforced according to its password lockout settings.


The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in Only IPv4 addresses are supported.

  1. Verify the pf.admin.api.authentication value in <pf_install>/pingfederate/bin/ is set to RADIUS.
    Update as needed.
  2. In the <pf_install>/pingfederate/bin/ file, change property values as needed for your network configuration.
    See the comments in the file for instructions and additional information.

    Be sure to assign RADIUS users or designated RADIUS groups (or both) to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the use.ldap.roles property to true and use the LDAP properties file (also in the bin directory) to map LDAP group-based permissions to PingFederate roles. (For information about permissions attached to the PingFederate roles, see the PingFederate User Access Control table in Configure access to the administrative API.)


    When assigning role(s), keep in mind that all accounts specified in can be used to access the administrative API and the administrative console.

  3. Restart PingFederate.

    In a clustered PingFederate environment, you only need to modify and on the console node.