Skip to main content

VMware Horizon RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

RADIUS is a protocol commonly used to authenticate, authorize, and account for user access and actions. Arculix offers a simple solution for adding MFA to VMware Horizon via its Radius solution. This document is a step-by-step guide to connect your VMware Horizon structure to the Arculix Radius agent.

Prerequisites

  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges for the VMware Horizon Connection Server.

Arculix RADIUS Agent configuration

To integrate Arculix with your VMware Horizon structure, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Horizon server, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

Follow these steps to configure the Arculix RADIUS Agent.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:

    Note

    The values should be separated by semicolons (;).

    ARA_CLIENTS=<An optional name for your Horizon>;<Internal IP address of your Horizon>;<a shared secret>

    For example, set:

    ARA_CLIENTS=Horizon;192.168.1.50/32;testing12345
    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

VMware Horizon Connection Server configuration

  1. Log in to the Horizon Administrator Console.

  2. Navigate to Servers then select the Connection Servers tab.

  3. Click Edit.

    vm-h_connection_servers.png
  4. In the dialog window, select the Authentication tab.

    vm-h_auth_tab.png
  5. Scroll down to the Advanced Authentication section and set the following configurations:

    2 factor authentication

    Set to RADIUS.

    Enforce 2-factor and Windows user name matching

    Select this check box.

    Use the same user name and password for RADIUS and Windows authentication

    Select this check box.

    vm-h_edit_connection_server.png
  6. In the Authenticators section, select Create New Authenticator and set the Authenticator Name.

    vm-h_new_auth.png
  7. Click Next and set the following configurations:

    Hostname/Address

    Set to the IP address of your Arculix RADIUS Agent.

    Authentication Port

    The RADIUS port number.

    The default is 1812.

    Accounting Port

    Set to 0.

    Authentication Type

    Set to PAP.

    Shared Secret

    The Arculix RADIUS Agent secret you configured in the previous section.

    Server Timeout

    Set to 60.

    vm-h_secondary_config.png

Test your application integration

  1. Launch the VMware Horizon Client. Initiate a connection to the server then enter your primary credentials.

    vm-h_login.png
  2. The Arculix Mobile app receives a push notification for your approval to log in.

    arculix_mobile_app_010.png
  3. After verification, you have access to your virtual desktop environment.

    vm-h_windows.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.