To set up PingFederate or PingFederate Bridge as a RADIUS server, see Prerequisites: PingFederate RADIUS server.

Note: If your end users encounter the Javascript error "Assignment to read-only properties is not allowed in strict mode" when authenticating via PingID, they should upgrade to version 5.2.11 of the GlobalProtect app.

How it works

The following diagram illustrates a general flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.

A flowchart showing the relationship between Palo Alto Global Protect, the RADIUS server, and PingID.

Processing Steps

  1. When a user opens their Palo Alto Global Protect sign-on window and enters a username and password, their details are sent to the RADIUS server on PingFederate through the VPN RADIUS client.
  2. PingFederate authenticates the user’s credentials with the user repository, such as an LDAP server, as first-factor authentication.
  3. Upon authentication approval from the user repository, the RADIUS server initiates a second authentication with PingID.
  4. The RADIUS server returns a response to Palo Alto Global Protect. If authentication is denied or if an error occurs, the user's terminal displays an error message.