Configuring the RADIUS Username Password Credential Validator - PingFederate

Configuring the RADIUS Username Password Credential Validator - PingFederate - 10.3

PingFederate Server

bundle

pingfederate-103

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.3

category

Product

pf-103

pingfederate

ContentType_ce

Page created: 9 Feb 2021 |

Page updated: 3 Jun 2022

| 3 min read

10.3 Product PingFederate Configuration User task RADIUS Standards, specifications, and protocols Software Deployment Method Product documentation Content Type Administrator Audience

The RADIUS Username Password Credential Validator verifies credentials using the RADIUS protocol.

RADIUS supports strong authentication with both one-step (a combination of regular password and a one-time password in one field) and two-step (challenge-response) authentication. Two-step authentication is supported in the HTML Form Adapter.

Important:

If your RADIUS server is a Microsoft Network Policy Server (NPS), passwords containing special characters will not be encoded and decoded properly due to limitations with NPS.

Tip:

RADIUS server messages are used by the HTML Form Adapter to determine the two-step authentication scenarios and to present a sign on window to the end users.

On the Instance Configuration tab, configure one or more RADIUS servers.

Click Add a new row to 'RADIUS Servers'.

In each field, enter the required information.

For more information about each field, refer to the following table. All fields are required.

Field	Description
Hostname	The IP address of the RADIUS server. For failover, enter one or more backup RADIUS servers by adding each server in its own row of the table. Each row represents a distinct RADIUS server that can be used for failover. PingFederate attempts to make a connection to each server in the order listed until a successful connection is obtained.
Authentication Port	The UDP port used to authenticate to the RADIUS server. The default value is `1812`.
Authentication Protocol	The protocol used to authenticate to the RADIUS server. The available choices are Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP). Select the protocol expected by your RADIUS server. The default selection is PAP.
Shared Secret	The password shared between PingFederate and the RADIUS server used to encrypt the attribute identifying the NAS (Network Access Server) originating the request for access.

Note:

The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in the <pf_install>/pingfederate/bin/run.properties file. Only IPv4 addresses are supported.

Click Update in the Action column.
Repeat these steps to add more RADIUS servers as needed.

Note:

Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

Use the up and down arrows to adjust the order in which you want PingFederate to attempt credential authentication. If an earlier RADIUS server fails to validate the credentials, PingFederate moves sequentially through the list until credential validation succeeds. If none of the RADIUS servers is able to authenticate the user's credentials, the credential validation process fails.

Optional: Click Show Advanced Fields to reconfigure default settings.

For more information about each field, refer to the following table. All fields are required.

Field	Description
NAS Identifier	The password shared between PingFederate and the RADIUS server used to encrypt the attribute identifying the NAS (Network Access Server) originating the request for access. The default value is `PingFederate`.
Timeout	The maximum number of milliseconds before a connection timeout to the RADIUS server. The default value is `3000`.
Retry Count	The number of times to retry a failed connection before moving to the next host. The default value is `3`.