Mark Benson - Senior View Architect - VMware End User Computing CTO Office
We have extended View to support RADIUS authentication as an option in our latest View release.
This short RADIUS Setup and Troubleshooting Tips video covers the basics. There is also a more in-depth video shown at the bottom of this article.
This RADIUS feature in View 5.1 will serve two main purposes:
During the development of this feature, we worked with a number of two-factor authentication security vendors and many of them have produced specific setup guides for View 5.1. There are lots of security vendors that will support View 5.1 with RADIUS so you should contact them for specific setup information. I've listed some of them here.
The types of two-factor authentication we support are those that require username and passcode text entry in the View client. This is similar to the way SecurID authentication works where the user is required to enter their username and passcode (usually a PIN followed by a tokencode read from a hardware or software token). We will also support a specific RADIUS challenge/response that is often used in authentication solutions where the user first enters credentials in the View client and an SMS text message (or e-mail or other out-of-band mechanism) is then sent to the user’s cell phone with a code that is then entered in the View client to complete the authentication. This specific RADIUS Access-challenge from the RADIUS server should contain attribute 18 and 24.
In View 5.1, RADIUS authentication can be configured on each Connection Server in a similar way to how RSA SecurID is configured in this and earlier releases. It may be that RADIUS authentication is just needed for remote access users in which case just the externally facing Connection Servers would be configured for RADIUS.
This document describes the basic setup of View 5.1 Connection Server to support RADIUS authentication.
The minimum setup for View RADIUS authentication is a single View 5.1 Connection Server, a single RADIUS server and a single View Client as shown in the diagram below. A secondary RADIUS server, View Security Servers and replica Connection Servers are optional.
Notes:
For more information on this you can watch this 45 minute video which goes through the setup of RADIUS with View 5.1 in a lot more detail and also covers troubleshooting steps.
VMware View 5.1 RADIUS Authentication Setup from Mark Benson on Vimeo.
Hi Mark, great write-up and very clear and complete.
I have one design question, why is it not foreseen to specify a Radius authentication server on the Security servers ? Isn't it more logical to do the authentication as soon as possible when a user comes in from the Internet ?
Our VPN gateways are set up like that.
Now the Radius authentication has to come from the paired Connection servers, and those are located in another site. The Security server - Connection server connection runs over the company backbone from the site that hosts the DMZ to the site where the View servers run.
Luc
Thankyou for your comments Luc.
In View, Authentication is performed by the Connection Server. Some people do set up View to perform authentication in the DMZ by putting Connection Servers in the DMZ, but this does require that they can connect directly to authentication servers from the DMZ (RADIUS, AD, ...).
The more common approach is to have the Connection Servers in the green zone perform authentication so that DMZ components don't have to have access to authentication servers.
If you want to ensure that authentication is performed in the DMZ, then you can put the Connection Server in the DMZ and ensure that it has access to your authentication servers. You can still have the virtual desktops in the green zone.
Some peope also have a double DMZ where Security Servers are in an outer DMZ and the Connection Servers are in an inner DMZ.
If you want to follow up with a discussion on this, post a follow-up message on the discussion forum.
Thanks!
Is it possible to expose as to RADIUS what the View client's IP address is?
Not in View 5.1. You can send me a message directly if you want to follow up.
Mark
Hi Mark,
Thought I'd give Horizon View 5.3 a spin in my home lab with Azure Multi-Factor Authentication. (Previously Phonefactor). Set up is very similar but I have found that when i tick the box to use the same username and password for RADIUS and Windows authentication I first get my SMS which works correctly but this is followed on by a "General Authentication Failure" dialog in the view client. If I click OK, it passes me through to login with my windows credentials so i think the passing of credentials is failing somewhere. If I untick the box, I get prompted twice for AD credentials as expected and this works fine.
Thinking back, if I remember, phonefactor sent a PIN to enter in the old client whereas the Microsoft one I am currently testing requires me to reply with my PIN to a text.
Have you tried using Azure MFA yet with Horizon View? Would like to hear your thoughts.
John
Another simple option for MFA with RADIUS is with NetIQ's Adavanced Authentication Framework that supports a wide range of Multi-Factor Authentication options including, voice, sms, smartphone app, soft or hard tokens, USB key tokens like yubi keys, and much more. Gives you lots of options beyond the traditional hard token.
Mark
I created a how to on SMS PASSCODE. Here the link for setting up SMS PASSCODE with VMware Horizon View:
Latest version of TekRADIUS supports VMware View RADIUS two factor authentication. See https://www.kaplansoft.com/tekradius/Docs/VMware.pdf for more details.