You can integrate PingID multi-factor authentication (MFA) into your VPN or remote access system.
The following diagram shows a general authentication flow. The actual configuration varies depending on your organizational infrastructure considerations and policies.
- A user opens their IPSec or SSL VPN sign on window and enters a user name and password.
- The VPN RADIUS client sends their details to the RADIUS Server on PingFederate.
- PingFederate authenticates the user’s credentials using the LDAP server as first-factor authentication.
- After LDAP authentication approval, the RADIUS server initiates a second authentication using PingID, and the user receives a push notification to the relevant device, such as the PingID mobile app or a YubiKey.
- The user approves the push notification or responds by entering a one-time passcode (OTP).
- The PingID cloud service verifies the response and sends it back to the RADIUS server.
- The RADIUS server returns a response to the VPN. If authentication is denied or an error occurs, the user receives an error message on their VPN window.
To configure PingID VPN integration, complete the following:
Install the PingID Integration Kit in PingFederate.
For more information, see Installing the PingID Integration Kit for PingFederate.
Configure the RADIUS server settings in PingFederate.
For more information, see Configuring a RADIUS server on PingFederate.
Configure your VPN client settings.
For more information, see one of the following sections: