In VMware Horizon 8.11.1 and we are trying to implement a 2FA authentication solution, so users will firstly authenticate with their domain credentials (as they are doing now) and then be prompted for the 2FA via RADIUS.
However, we were wondering if there is any way to have only a small group of users who might be redirected to the MFA auth for testing purposes, leaving the rest of users authenticate without the MFA. Basically this means that, for the same connection server (test1.com f,e), we need to have two different ways of authentication (because we are doing a demo of the workflow) so if we can test it for a limited number of users, where in case of success, implement the change for all the others users in a staggered way.
Is this possible in some way? If not, how can we make the tests without affect all the users?
Are you talking about users accessing Horizon from internal networks or from external (using UAGs)?
If internal:
Add an additional conneciton server and configure it to use 2FA. Don't add it to the existing load balancer if you have that but let the test users connect directly to the newly configured connection server.
If External:
Add an additional UAG appliance and configure it to use 2FA. Don't add it to the existing load balancer or HA group, but let the test users connect directly to the newly configured UAG.
Once you are satisfied with the new setup make the same changes to the existing connection servers or UAGs to enforce 2FA for all users and remove the extra installad connection server/UAG (or keep it for future testing)
A connection server will always validate the AD Credentials. If you also configure Radius for that specific connection server then it will also provide Radius authentication to users connecting to that connection server.
Hi @Mickeybyte,
Thanks again for your response.
So if we add a RADIUS validation in advanced configuration for a connection server, can we achieve that the user is prompted for the OTP via RADIUS? and once satisfied that OTP via Radius, then validate the AD credentials outside Radius, in the same workflow as is configured now?
I look forward to your response.
Borja
I'm not sure, but I think it will first validate AD credentials and then Radius OTP.
Hi @Mickeybyte,
Thank you very much for all the support.
Just to confirm and as a final point: regardless of whether it is done before or after, can you confirm that the RADIUS is an additional factor but that it will always validate the AD credentials, correct? In the same way as it is currently without radius.
Again, thank you very much,
Borja
Yes, both will be validated.