For your VPN to perform multi-factor authentication (MFA) using the PingID cloud service, you must create and configure a RADIUS server password credential validator (PCV) on PingFederate.
- RADIUS clients that:
- Handle first-factor authentication (and therefore does not send passwords to the RADIUS server),
- and do not support RADIUS challenges
RADIUS Client Password Validation
: set this field toenabled
.Direct OTP validation
: For RADIUS clients running 3.0.4 or later, set this field toenabled
.OTP in Password Separator
:For RADIUS clients running 3.0.3 and earlier only, set this field toComma
- RADIUS clients that do not support RADIUS challenges: set the
RADIUS Client Doesn't Support Challenge
field toenabled
.
PingFederate
You can download the PingID for PingFederate properties file for use when integrating PingID with PingFederate.
The Integrate with PingFederate Bridge properties file provides full permission to perform enrollment, device management, and authentication actions. You can rotate or revoke generated properties files with minimal downtime.
For Window login, Mac login, and SSH integrations, you should download the version of the properties file that restricts user permissions to authentication only. For more information, see the relevant tabs on this page.
The PingID properties file contains sensitive information including the secret encryption key. It should only be handled by administrators and should not be distributed more than is necessary.
To ensure minimal downtime when rotating a PingID properties file (key rotation), first generate the PingID properties file and link it to the relevant client, and then revoke the old properties file.
Configuring LDAP group behavior in RADIUS Server
- Defining and restricting who can sign on to PingFederate.
- Gradually introducing PingID multi-factor authentication (MFA) into your organization.
- Creating user groups that are exempt from PingID MFA.