You can use a RADIUS Gateway to orchestrate user authentication flows by leveraging the PingOne DaVinci orchestration engine. After you have configured a RADIUS Gateway, users must follow a series of steps, as defined in your DaVinci flow, to gain access to your VPN. You can customize the DaVinci flow to include steps, such as user credential validation and MFA.

The RADIUS gateway currently supports the PAP and the MS-CHAP v2 protocol.

The following diagrams provide examples of a general RADIUS gateway authentication flow for each protocol using PingID mobile app to authenticate. The actual configuration varies depending on your organizational infrastructure considerations and policies.

Example of a RADIUS Gateway flow using the PAP protocol

RADIUS Gateway using the PAP protocol
  1. A user opens a VPN sign-on window and enters their username and password.
  2. The VPN client sends their details to the RADIUS Server running in the RADIUS gateway.
  3. The RADIUS gateway initiates a DaVinci flow policy.
  4. The DaVinci flow executes the following steps:
    1. DaVinci invokes the PingOne connector step to initiate credential validation.
    2. The user credentials are validated against a directory (in this example, PingOne Directory).
    3. DaVinci invokes the PingID connector step and the PingID server initiates a second factor authentication. The user receives a push notification to the relevant device.
    4. The user approves the push notification.
  5. The DaVinci flow is finalized and a response is sent back to the RADIUS gateway.
  6. The RADIUS gateway returns a response to the VPN.
  7. The VPN forwards the response, granting or denying access to the user.

Example of the RADIUS Gateway using Advanced protocols (such as MS-CHAP v2)

RADIUS Gateway using advanced protocols such as MS-CHAP v2
  1. A user opens a VPN sign-on window and enters their username and password.
  2. The VPN client sends their details to the RADIUS Server running in the RADIUS gateway.
  3. The RADIUS gateway forwards the details to the Network Policy Server (NPS).
  4. The NPS validates the user credentials against its directory.
  5. The NPS returns the response to the RADIUS Gateway.
  6. If the credentials are correct, the RADIUS gateway initiates a DaVinci flow policy.
  7. The DaVinci flow executes the following steps:
    1. DaVinci invokes the PingID connector step and the PingID server initiates a second factor authentication. The user receives a push notification to the relevant device.
    2. The user approves the push notification.
  8. The DaVinci flow is finalized and a response is sent back to the RADIUS gateway.
  9. The RADIUS gateway returns a response to the VPN.
  10. The VPN forwards the response, granting or denying access to the user.