RADIUS supports strong authentication with both one-step (a combination of regular password and a one-time password in one field) and two-step (challenge-response) authentication. Two-step authentication is supported in the HTML Form Adapter.

Important:

If your RADIUS server is a Microsoft Network Policy Server (NPS), passwords containing special characters will not be encoded and decoded properly due to limitations with NPS.

Tip:

RADIUS server messages are used by the HTML Form Adapter to determine the two-step authentication scenarios and to present a login screen to the end users.

On the Instance Configuration screen, configure per-instance settings that suit your use cases.

  1. Configure one or more RADIUS servers.
    1. Click Add a new row to 'RADIUS Servers'.
    2. Enter information into the required fields.
      For more information about each field, refer to the following table. All fields are required.
      Field Description
      Hostname The IP address of the RADIUS server.

      For failover, you can enter one or more backup RADIUS servers by adding each server in its own row of the table. Each row represents a distinct RADIUS server that can be used for failover. PingFederate attempts to make a connection to each server in the order listed until a successful connection is obtained.

      This field has no default value.

      Authentication Port The UDP port used to authenticate to the RADIUS server.

      The default value is 1812.

      Authentication Protocol The protocol used to authenticate to the RADIUS server.

      The available choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Select the protocol expected by your RADIUS server.

      The default selection is PAP.
      Shared Secret The password shared between PingFederate and the RADIUS server used to encryptThe attribute identifying the NAS (Network Access Server) originating the request for access. for access.

      This field has no default value.

      Note:

      The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in the The password shared between PingFederate and the RADIUS server used to encrypt passwords. <pf_install>/pingfederate/bin/run.properties file. Only IPv4 addresses are supported.

    3. Click Update under Action.
    4. Repeat these steps to add more RADIUS servers as needed.

    Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Use the Delete and Undelete workflow to remove an existing entry or cancel the removal request.

    Use the up and down arrows to adjust the order in which you want PingFederate to attempt credential authentication. If an earlier RADIUS server fails to validate the credentials, PingFederate moves sequentially through the list until credential validation succeeds. If none of the RADIUS servers is able to authenticate the user's credentials, the credential validation process fails.

  2. Optional: Click Show Advanced Fields to reconfigure default settings.
    For more information about each field, refer to the following table. All fields are required.
    Field Description
    NAS Identifier The password shared between PingFederate and the RADIUS server used to encryptThe attribute identifying the NAS (Network Access Server) originating the request for access.

    The default value is PingFederate.

    Timeout The maximum number of milliseconds before a connection timeout to the RADIUS server.

    The default value is 3000.

    Retry Count The number of times to retry a failed connection before moving to the next host.

    The default value is 3.