--- title: Protecting your VPN with PingID MFA description: To improve network security posture and provide a true MFA experience to network resources, add PingID multi-factor authentication (MFA) to your VPN authentication ceremony. component: solution-guides page_id: solution-guides:workforce_use_cases:htg_protect_vpn_with_pid_mfa canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_protect_vpn_with_pid_mfa.html revdate: April 14, 2025 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps choose-from: Choose from: next-steps: Next steps --- # Protecting your VPN with PingID MFA To improve network security posture and provide a true MFA experience to network resources, add PingID multi-factor authentication (MFA) to your VPN authentication ceremony. ## Before you begin **Component** * PingFederate 10.1 Do the following: * Install and configure PingFederate. * Install and configure PingID. * Enable RADIUS network connectivity between your VPN client and PingFederate. * Connect and configure an existing user datastore as a password credential validator (PCV), such as PingDirectory or Active Directory. ### About this task By using the RADIUS protocol, PingFederate works as an on-premise agent to enable MFA into your VPN use cases. The following steps are required to set up and configure a PingID MFA for your VPN. ### Steps 1. In the PingOne for Enterprise administrative console, go to **Setup > PingID > Client Integration > Integration with PingFederate and Other Clients**. ![Screen capture illustrating the navigation to Setup Client Integration Integration with and Other Clients in the admin console.](_images/llt1601575026054.png) 2. To receive your `pingid.properties` file, click **Download**. | | | | - | --------------------------------------------------------------------------------------------------------------------------------- | | | If there are no property files available and you need to generate one, click the **Generate** button and then click **Download**. | 3. In the PingFederate administrative console, go to **System > Data & Credential Stores > Password Credential Validators**. ![Screen capture illustrating the navigation to System Data & Credential Stores Password Credential Validators in the administrative console. Existing instances are displayed.](_images/bhd1601578462217.png) 4. Click **Create New Instance**. 5. On the **Type** tab, configure the fields: 1. In the **Instance Name** field, enter an instance name. 2. In the **Instance ID** field, enter an instance ID. 3. From the **Type** list, select **PingID PCV (with integrated RADIUS server)**. 4. Click **Next**. ![Screen capture illustrating the configurable Type fields for a new PCV in .](_images/hwu1601580627905.png) 6. On the **Instance Configuration** tab, click **Add a new row to 'RADIUS Clients'**. 1. In the **Client IP** field, enter a client IP address to match your RADIUS client. 2. In the **Client Shared Secret** field, enter a shared secret to match your RADIUS client. 3. To complete the client configuration, click **Update**. Repeat step 6 for any additional RADIUS clients. 7. Click **Add a new row to 'Delegate PCV's'**. 1. From the **Delegate PCV** list, select the primary user datastore you want RADIUS clients to authenticate against. 2. To complete the configuration, click **Update**. Repeat step 7 for any additional PCVs. 8. In the **PingID Properties File** field, paste the `pingid.properties` file you downloaded from PingID in step 2. ![Screen capture illustrating a completed Properties File field in .](_images/dzn1601582257289.png) 9. In the **Authentication During Errors** field, select the appropriate authentication behavior when PingID services are unavailable. #### Choose from: * **Bypass User** * **Block User** * **Passive Offline Authentication** * **Enforce Offline Authentication** 10. In the **Users Without a Paired Device** field, select whether to bypass or block the user when PingID services are unavailable. 11. Complete any remaining fields. Click **Next**. 12. Click **Next** and **Done**. 13. Click **Save**. ### Next steps Perform the RADIUS client test to verify and ensure the authentication ceremony works properly.