PingFederate supports the protocol scenarios for one-step authentication (by appending to the password a one-time passcode obtained from an authenticator, for instance) and two-step authentication (through a challenge-response process, for example).


When RADIUS authentication is configured, PingFederate does not lock out administrative users based upon the number of failed logon attempts. Responsibility for preventing access is instead delegated to the RADIUS server and enforced according to its password lockout settings.


The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in Only IPv4 addresses are supported.

  1. In the <pf_install>/pingfederate/bin/ file, change the value of the pf.console.authentication property as shown below:
  2. In the <pf_install>/pingfederate/bin/ file, change property values as needed for your network configuration.
    See the comments in the file for instructions and additional information.

    Note that the roles configured in the properties file apply to both the administrative console and the administrative API.


    Be sure to assign RADIUS users or designated RADIUS groups (or both) to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the use.ldap.roles property to true and use the LDAP properties file (also in the bin directory) to map LDAP group-based permissions to PingFederate roles.

  3. Start or restart PingFederate.