In this multi-factor console authentication use case, the PingFederate administrative console is a RADIUS client that calls the local RADIUS server bundled in the PingID Password Credential Validator (PCV) for the second factor authentication.

Note:

For a clustered PingFederate environment, perform these steps on the console node.

  1. Open the <pf_install>/pingfederate/bin/run.properties file in a text editor and set the pf.console.authentication property to RADIUS.
    pf.console.authentication=RADIUS
  2. Obfuscate the Client Shared Secret value using a PingFederate command-line tool.

    Windows: <pf_install>\pingfederate\bin\obfuscate.bat clientSharedSecret

    Linux: <pf_install>/pingfederate/bin/obfuscate.sh clientSharedSecret

    The output should be a long line of text.

  3. Copy the output for the next step.
  4. Open the <pf_install>/pingfederate/bin/radius.properties file in a text editor and modify as follows.
    host=<host>
    shared.secret=obfuscatedClientSharedSecret
    timeout=10000
    Tip:

    For a clustered PingFederate environment, the host value must be a runtime engine IP address or a hostname.

    The timeout value is the number of milliseconds to wait for the second authentication factor to complete before timing out the login attempt. In this use case, ten seconds, or 10000 ms, should be sufficient for PingID.

    In addition, assign one or more RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the radius.properties file. Alternatively, you can set the use.ldap.roles property to true and use the LDAP properties file, ldap.properties in the same bin directory, to map LDAP group-based permissions to PingFederate roles.

  5. Save your changes, and restart PingFederate.