To use MS-CHAPv2 encryption with the RADIUS protocol, you need to enable PingID Password Credential Validator (PCV) to work with the relevant Network Policy Service (NPS). The PingID password credential validator (PCV) implements PingID as the second factor in the flow between the client and the network policy service (NPS).
Use of PingID as the second factor between the RADIUS client and an NPS is only supported when using either MS-CHAPv2 or EAP-MSCHAPv2 encryption.
-
In PingFederate, go to Password Credential Validators.
A list of credential validator instances is displayed.
-
Click Create New Instance.
The Create Credential Validator Instance window opens.
- In the Instance Name and Instance ID fields, enter a meaningful instance name and instance ID.
- In the Type list, select PingID PCV (with integrated RADIUS server). Click Next.
-
To specify an LDAP as the attribute source:
- Configure an LDAP connection.
- In the Delegate PCV field, click Add a new row to Delegate PCVs.
-
In the Delegate PCV list, select LDAP
as attribute source.
- In the LDAP Data Source field, select the LDAP connection that you configured.
-
Configure either the Search Base and
Search Filter fields, or the
Distinguished Name Pattern field.
-
To provide the necessary permissions for client to connect to the PingID RADIUS PCV, create an
approved RADIUS client:
- In the RADIUS Clients section, click Add a New Row to RADIUS Clients.
-
Enter the RADIUS client’s IP address and shared secret. Optionally, you
can add a label for each client to help distinguish between them when
reviewing the list.
Note:
Validation of the client IP shared secret is performed on the PCV side and the NPS side. Therefore you must make sure the shared secret on the client matches the shared secret on the endpoint NPS.
- Click Update.
- Optional: To define different authentication behavior per LDAP group, see Configuring LDAP group behavior in RADIUS Server.
-
In the If the User Is Not Activated on PingID list,
select one of the following options:
- Always fail the login: If the user does not have a PingID cloud service account, access is denied.
- Fail login unless in grace period: If the user does not have a PingID cloud service account by the mandatory enrollment date, access is denied.
- Let the user in without PingID: If the user is registered, authenticate with both LDAP and PingID MFA. If the user is not registered with PingID, authenticate with LDAP single-factor authentication only.
-
Select the Enable RADIUS Remote Network Policy Server
check box.