Install the PingID Integration Kit.
Note:

Use of PingID as the second factor between the RADIUS client and an NPS is only supported when using either MS-CHAPv2 or EAP-MSCHAPv2 encryption.

  1. In PingFederate, go to Password Credential Validators.

    A list of credential validator instances is displayed.

    A screen capture of the Manage Credential Validator Instances window.
  2. Click Create New Instance.

    The Create Credential Validator Instance window opens.

    Create Credential Validator Instance window
  3. In the Instance Name and Instance ID fields, enter a meaningful instance name and instance ID.
  4. In the Type list, select PingID PCV (with integrated RADIUS server). Click Next.
  5. To specify an LDAP as the attribute source:
    1. Configure an LDAP connection.
    2. In the Delegate PCV field, click Add a new row to Delegate PCVs.
    3. In the Delegate PCV list, select LDAP as attribute source.

      Create Credential Validator Instance window showing the Client IP and Delegate PCV fields
    4. In the LDAP Data Source field, select the LDAP connection that you configured.
    5. Configure either the Search Base and Search Filter fields, or the Distinguished Name Pattern field.

      Create Credential Validator Instance window showing relevant attributes
  6. To provide the necessary permissions for client to connect to the PingID RADIUS PCV, create an approved RADIUS client:
    1. In the RADIUS Clients section, click Add a New Row to RADIUS Clients.
    2. Enter the RADIUS client’s IP address and shared secret. Optionally, you can add a label for each client to help distinguish between them when reviewing the list.
      Note:

      Validation of the client IP shared secret is performed on the PCV side and the NPS side. Therefore you must make sure the shared secret on the client matches the shared secret on the endpoint NPS.

    3. Click Update.
  7. Optional: To define different authentication behavior per LDAP group, see Configuring LDAP group behavior in RADIUS Server.
  8. In the If the User Is Not Activated on PingID list, select one of the following options:
    • Always fail the login: If the user does not have a PingID cloud service account, access is denied.
    • Fail login unless in grace period: If the user does not have a PingID cloud service account by the mandatory enrollment date, access is denied.
    • Let the user in without PingID: If the user is registered, authenticate with both LDAP and PingID MFA. If the user is not registered with PingID, authenticate with LDAP single-factor authentication only.
  9. Select the Enable RADIUS Remote Network Policy Server check box.