1. Open the PingFederate administrative console.
  2. Click Server Configuration, and then under Authentication, click Password Credential Validators.

    A screen capture of the Server Configuration window in the PingFederate administrative console.

    A list of credential validator instances is displayed.

    A screen capture of the Manage Credential Validator Instances window.
  3. In the Instance Name column, click ldapPCV.

    The Create Credential Validator Instance window opens.

  4. Add the LDAP attributes that you want PingID to map and send to the PingID server.
    1. In the Extend the Contract field, enter an LDAP attribute, and then click Add. Repeat this step to add multiple attributes.

      Some steps in RADIUS PCV configuration require use of LDAP user groups. To enable use of LDAP user groups, add the memberOf attribute to the LDAP Extended Contract mapping.

      A screen capture of LDAP attributes added to the contract.
    2. Click Done, and then click Save.

      The Manage Credential Validator Instances window opens.

    3. Repeat this step for each LDAP PCV instance that you want to connect to the RADIUS server as a delegate PCV.
  5. To create the RADIUS server instance, click Create New Instance.

    A screen capture of the Create Credential Validator Instance window in the PingFederate administrative console.
  6. In the Instance Name and Instance ID fields, enter a meaningful instance name and instance ID.
  7. From the Type list, select PingID PCV (with integrated RADIUS server).
  8. Click Next.

    A screen capture of the Instance Configuration tab in the PingFederate administrative console.

  9. To provide the necessary permissions for client to connect to the RADIUS server, create an approved RADIUS client:
    1. In the RADIUS Clients section, click Add a New Row to RADIUS Clients.

      The IP address of the VPN server/remote access system is required here.

    2. Enter the RADIUS client’s IP address and its shared secret. Optionally, you can add a label for each client to help distinguish between them when reviewing the list. Click Update.
  10. Repeat the procedure from step 3 for all additional RADIUS clients that you want to add.
  11. To add a Delegate PCV for the initial user authentication:
    1. Click Add a New Row to Delegate PCV.
    2. From the Delegate PCV list, select the LDAP PCV that you created when you set up PingFederate, and then click Update.

      If you do not add a Delegate PCV, the RADIUS server assumes first-factor authentication has been performed by an external service. The RADIUS server will not authenticate against the LDAP directory and only PingID MFA will be used.

  12. Optional: To define different authentication behavior per LDAP group, see Configuring LDAP group behavior in RADIUS Server.
  13. In the If the User Is Not Activated on PingID list, select one of the following options:
    • Register the user: If the user does not have a PingID cloud service account, initiate "on the fly registration" using the Challenge Page on the VPN clientless SSL. This is the default setting.

      The Mandatory Enrollment Date set in the PingID admin web portal determines when it is mandatory for the user to register. Before this date, “on the fly registration” is optional. To allow users to self-register, click Enable for Self-Enrollment During Authentication.

      A screen capture of the PingID admin web portal Enrollment page with a date entered in the Mandatory Enrollment Date field and Self-Enrollment During Authentication set to Enable.
    • Always fail the login: If the user does not have a PingID cloud service account, access is denied.
    • Fail login unless in grace period: If the user does not have a PingID cloud service account by the mandatory enrollment date, access is denied.
    • Let the user in without PingID: If the user is registered, authenticate with both LDAP and PingID MFA. If the user is not registered with PingID, authenticate with LDAP single-factor authentication only.
  14. In the RADIUS Server Authentication Port field, enter the port number. The default port is 1812.

    The port number must match the port number you define on the VPN client.

  15. To define the communication settings between RADIUS server and the PingID cloud service:
    1. In the PingOne for Enterprise admin portal, go to Setup > PingID > Client Integration .
    2. In the Integrate with PingFederate and Other Clients section, click Download to save a copy of the pingid.properties file. For more information, see Managing the PingID properties file.
    3. In a text editor, open the pingid.properties file, copy the file contents, and paste the contents into the PingID Properties file field in PingFederate.

    A screen capture of the PingID Properties file field, located in the Server Configuration window of the PingFederate administrative console.
  16. Optional: Configure any additional RADIUS PCV parameters that you want to include. For a list of options, see PingID RADIUS PCV parameters reference guide.
  17. Click Next twice, and then click Done.
  18. Click Save.

    To perform a health-check on the RADIUS PCV server, use the heartbeat on /pf/heartbeat.ping. The PingID RadiusPCV does not expose its own heartbeat endpoint. For more information, see Enabling Heartbeat in PingFederate 7.3 and later.