The RADIUS protocol provides a common approach for implementing strong authentication in a client-server configuration.
The RADIUS authentication setup is available through configuration files in the <pf_install>/pingfederate/bin directory. The administrative API supports the protocol scenario for one-step authentication, for example, appending a one time password (OTP) after the password.
When you configure RADIUS authentication, PingFederate does not lock out accounts based upon the number of failed logon attempts. Instead, responsibility for preventing access is delegated to the RADIUS server and enforced according to its password lockout settings.
The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in run.properties. Only IPv4 addresses are supported.
Verify the pf.admin.api.authentication value in
is set to
RADIUS. Update as needed.
file, change property values as needed for your network configuration. For
instructions and additional information, see the comments in the file.
Assign RADIUS users or designated RADIUS groups, or both, to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the use.ldap.roles property to
trueand use the LDAP properties file, which is also in the bin directory, to map LDAP group-based permissions to PingFederate roles. For more information about permissions attached to the PingFederate roles, see the PingFederate User Access Control table in Configure access to the administrative API.Note:
When assigning roles, remember that all accounts specified in radius.properties can access the administrative API and the administrative console.
In a clustered PingFederate environment, you only need to modify run.properties and radius.properties on the console node.