Use Cases

Protecting your VPN with PingID MFA

To improve network security posture and provide a true MFA experience to network resources, add PingID multi-factor authentication (MFA) to your VPN authentication ceremony.

Before you begin

Component

  • PingFederate 10.1

Do the following:

  • Install and configure PingFederate.

  • Install and configure PingID.

  • Enable RADIUS network connectivity between your VPN client and PingFederate.

  • Connect and configure an existing user datastore as a password credential validator (PCV), such as PingDirectory or Active Directory.

About this task

By using the RADIUS protocol, PingFederate works as an on-premise agent to enable MFA into your VPN use cases. The following steps are required to set up and configure a PingID MFA for your VPN.

Steps

  1. In the PingOne for Enterprise administrative console, go to Setup → PingID → Client Integration → Integration with PingFederate and Other Clients.

    Screen capture illustrating the navigation to Setup Client Integration Integration with and Other Clients in the admin console.

  2. To receive your pingid.properties file, click Download.

    If there are no property files available and you need to generate one, click the Generate button and then click Download.

  3. In the PingFederate administrative console, go to System → Data & Credential Stores → Password Credential Validators.

    Screen capture illustrating the navigation to System Data & Credential Stores Password Credential Validators in the administrative console. Existing instances are displayed.

  4. Click Create New Instance.

  5. On the Type tab, configure the fields:

    1. In the Instance Name field, enter an instance name.

    2. In the Instance ID field, enter an instance ID.

    3. From the Type list, select PingID PCV (with integrated RADIUS server).

    4. Click Next.

      Screen capture illustrating the configurable Type fields for a new PCV in .

  6. On the Instance Configuration tab, click Add a new row to 'RADIUS Clients'.

    1. In the Client IP field, enter a client IP address to match your RADIUS client.

    2. In the Client Shared Secret field, enter a shared secret to match your RADIUS client.

    3. To complete the client configuration, click Update.

    Repeat step 6 for any additional RADIUS clients.

  7. Click Add a new row to 'Delegate PCV’s'.

    1. From the Delegate PCV list, select the primary user datastore you want RADIUS clients to authenticate against.

    2. To complete the configuration, click Update.

    Repeat step 7 for any additional PCVs.

  8. In the PingID Properties File field, paste the pingid.properties file you downloaded from PingID in step 2.

    Screen capture illustrating a completed Properties File field in .

  9. In the Authentication During Errors field, select the appropriate authentication behavior when PingID services are unavailable.

    Choose from:

    • Bypass User

    • Block User

    • Passive Offline Authentication

    • Enforce Offline Authentication

  10. In the Users Without a Paired Device field, select whether to bypass or block the user when PingID services are unavailable.

  11. Complete any remaining fields. Click Next.

  12. Click Next and Done.

  13. Click Save.

Next steps

Perform the RADIUS client test to verify and ensure the authentication ceremony works properly.