Protecting your VPN with PingID MFA

Use Cases

bundle
solution-guides
ft:publication_title
Use Cases
Product_Version_ce
category
ContentType
howtodoc
ContentType_ce
How-to

To improve network security posture and provide a true MFA experience to network resources, add PingID multi-factor authentication (MFA) to your VPN authentication ceremony.

Component

  • PingFederate 10.1

Do the following:

  • Install and configure PingFederate.
  • Install and configure PingID.
  • Enable RADIUS network connectivity between your VPN client and PingFederate.
  • Connect and configure an existing user datastore as a password credential validator (PCV), such as PingDirectory or Active Directory.
By using the RADIUS protocol, PingFederate works as an on-premise agent to enable MFA into your VPN use cases. The following steps are required to set up and configure a PingID MFA for your VPN.
  1. In the PingOne for Enterprise administrative console, go to Setup > PingID > Client Integration > Integration with PingFederate and Other Clients.
    Screen capture illustrating the navigation to Setup > PingID > Client Integration > Integration with PingFederate and Other Clients in the PingOne for Enterprise admin console.
  2. To receive your pingid.properties file, click Download.
    Note:

    If there are no property files available and you need to generate one, click the Generate button and then click Download.

  3. In the PingFederate administrative console, go to System > Data & Credential Stores > Password Credential Validators.
    Screen capture illustrating the navigation to System > Data & Credential Stores > Password Credential Validators in the PingFederate administrative console. Existing instances are displayed.
  4. Click Create New Instance.
  5. On the Type tab, configure the fields:
    1. In the Instance Name field, enter an instance name.
    2. In the Instance ID field, enter an instance ID.
    3. From the Type list, select PingID PCV (with integrated RADIUS server).
    4. Click Next.
      Screen capture illustrating the configurable Type fields for a new PCV in PingFederate.
  6. On the Instance Configuration tab, click Add a new row to 'RADIUS Clients'.
    1. In the Client IP field, enter a client IP address to match your RADIUS client.
    2. In the Client Shared Secret field, enter a shared secret to match your RADIUS client.
    3. To complete the client configuration, click Update.

      Repeat step 6 for any additional RADIUS clients.

  7. Click Add a new row to 'Delegate PCV's'.
    1. From the Delegate PCV list, select the primary user datastore you want RADIUS clients to authenticate against.
    2. To complete the configuration, click Update.

      Repeat step 7 for any additional PCVs.

  8. In the PingID Properties File field, paste the pingid.properties file you downloaded from PingID in step 2.
    Screen capture illustrating a completed PingID Properties File field in PingFederate.
  9. In the Authentication During Errors field, select the appropriate authentication behavior when PingID services are unavailable.
    • Bypass User
    • Block User
    • Passive Offline Authentication
    • Enforce Offline Authentication
  10. In the Users Without a Paired Device field, select whether to bypass or block the user when PingID services are unavailable.
  11. Complete any remaining fields. Click Next.
  12. Click Next and Done.
  13. Click Save.
Perform the RADIUS client test to verify and ensure the authentication ceremony works properly.