How Multi-Factor VPN Authentication Works

The following image represents a general flow. Actual configuration varies according to company infrastructure considerations and policies.

A flowchart showing a general MFA request using Cisco ASA.

Processing steps

  1. When a user opens either their IPSec or SSL VPN sign-on window and enters a username and password, their details are sent to the RADIUS Server on PingFederate through the VPN.
  2. PingFederate authenticates the user’s credentials against the LDAP Server as first-factor authentication.
  3. After LDAP authentication approval, the RADIUS server initiates second-factor authentication with PingID. If authentication is denied, the user's VPN window displays an error message.