For your VPN to perform multi-factor authentication (MFA) using the PingID cloud service, you must create and configure a RADIUS server password credential validator (PCV) on PingFederate.
- Open the PingFederate administrative console.
Click Server Configuration, and then under
Authentication, click Password Credential
A list of credential validator instances is displayed.
In the Instance Name column, click
The Create Credential Validator Instance window opens.
Add the LDAP attributes that you want PingID to map and send to the PingID server.
In the Extend the Contract field, enter an LDAP
attribute, and then click Add. Repeat this step
to add multiple attributes.
Some steps in RADIUS PCV configuration require use of LDAP user groups. To enable use of LDAP user groups, add the memberOf attribute to the LDAP Extended Contract mapping.
Click Done, and then click
The Manage Credential Validator Instances window opens.
- Repeat this step for each LDAP PCV instance that you want to connect to the RADIUS server as a delegate PCV.
- In the Extend the Contract field, enter an LDAP attribute, and then click Add. Repeat this step to add multiple attributes.
To create the RADIUS server instance, click Create New
- In the Instance Name and Instance ID fields, enter a meaningful instance name and instance ID.
- From the Type list, select PingID PCV (with integrated RADIUS server).
To provide the necessary permissions for client to connect to the RADIUS
server, create an approved RADIUS client:
In the RADIUS Clients section, click
Add a New Row to RADIUS Clients.
The IP address of the VPN server/remote access system is required here.
- Enter the RADIUS client’s IP address and its shared secret. Optionally, you can add a label for each client to help distinguish between them when reviewing the list. Click Update.
- In the RADIUS Clients section, click Add a New Row to RADIUS Clients.
- Repeat the procedure from step 3 for all additional RADIUS clients that you want to add.
To add a Delegate PCV for the initial user authentication:
- Click Add a New Row to Delegate PCV.
From the Delegate PCV list, select the LDAP PCV
that you created when you set up PingFederate, and then
If you do not add a Delegate PCV, the RADIUS server assumes first-factor authentication has been performed by an external service. The RADIUS server will not authenticate against the LDAP directory and only PingID MFA will be used.
- Optional: To define different authentication behavior per LDAP group, see Configuring LDAP group behavior in RADIUS Server.
In the If the User Is Not Activated on PingID list,
select one of the following options:
- Register the user: If the user does not have a
PingID cloud service
account, initiate "on the fly registration" using the Challenge Page on the
VPN clientless SSL. This is the default setting.Note:
The Mandatory Enrollment Date set in the PingID admin web portal determines when it is mandatory for the user to register. Before this date, “on the fly registration” is optional. To allow users to self-register, click Enable for Self-Enrollment During Authentication.
- Always fail the login: If the user does not have a PingID cloud service account, access is denied.
- Fail login unless in grace period: If the user does not have a PingID cloud service account by the mandatory enrollment date, access is denied.
- Let the user in without PingID: If the user is registered, authenticate with both LDAP and PingID MFA. If the user is not registered with PingID, authenticate with LDAP single-factor authentication only.
- Register the user: If the user does not have a PingID cloud service account, initiate "on the fly registration" using the Challenge Page on the VPN clientless SSL. This is the default setting.
In the RADIUS Server Authentication Port field, enter
the port number. The default port is 1812.
The port number must match the port number you define on the VPN client.
To define the communication settings between RADIUS server and the PingID cloud service:
- In the PingOne for Enterprise admin portal, go to .
- In the Integrate with PingFederate and Other Clients section, click Download to save a copy of the pingid.properties file. For more information, see Managing the PingID properties file.
- In a text editor, open the pingid.properties file, copy the file contents, and paste the contents into the PingID Properties file field in PingFederate.
- Optional: Configure any additional RADIUS PCV parameters that you want to include. For a list of options, see PingID RADIUS PCV parameters reference guide.
- Click Next twice, and then click Done.
To perform a health-check on the RADIUS PCV server, use the heartbeat on /pf/heartbeat.ping. The PingID RadiusPCV does not expose its own heartbeat endpoint. For more information, see Enabling Heartbeat in PingFederate 7.3 and later.