PingFederate supports the protocol scenarios for one-step authentication, such as appending a one-time passcode obtained from an authenticator to the password, and two-step authentication, such as through a challenge-response process.


When RADIUS authentication is configured, PingFederate does not lock out administrative users based on the number of failed sign-on attempts. Instead, responsibility for preventing access is delegated to the RADIUS server and enforced according to its password lockout settings.


The NAS-IP-Address attribute is added to all Access-Request packets sent to the RADIUS server. The value is copied from the pf.engine.bind.address property in Only IPv4 addresses are supported.

  1. In the <pf_install>/pingfederate/bin/ file, change the value of the pf.console.authentication property as shown.
  2. In the <pf_install>/pingfederate/bin/ file, change property values as needed for your network configuration.

    For more information, see the comments in the file.

    The roles configured in the properties file apply to both the administrative console and the administrative API.


    Be sure to assign RADIUS users or designated RADIUS groups to at least one of the PingFederate administrative roles as indicated in the properties file. Alternatively, you can set the use.ldap.roles property to true and use the LDAP properties file, also in the bin directory, to map LDAP group-based permissions to PingFederate roles.

  3. Start or restart PingFederate.