Documentation

Introduction

Use this guide to integrate VMware View/Horizon with SecureAuth IdP using RADIUS OTP as a second-factor.

Prerequisites

1. Have VMware Horizon (with View) 5.x connection server (or newer)

2. Have SecureAuth IdP 8.2+ with the Multi-Factor App Enrollment Realm configured

3. Configure / enroll SecureAuth OTP apps

4. Configure the SecureAuth RADIUS server

VMWare Horizon (with View) Configuration Steps

 

1. Configure the SecureAuth RADIUS Server appliance to point to the VMware Horizon connection server IP address.

1a. Use OTP_ONLY as the authentication type.

2. From a web browser, access the VMware Horizon Administrator.

3. Navigate to View Configuration > Servers > Connection Servers.

4. Select the Connection Server and click Edit.

5. Under Authentication > Advanced Authentication, set the 2-factor authentication option to RADIUS.

6. Under Authenticator, select Create New Authenticator.

Add RADIUS Authenticator Configuration Steps

7. Fill out the Add RADIUS Authenticator window as follows:

a. Label: Friendly name for the Authenticator, visible to clients

b. Description: Description field, not visible to clients

c. Hostname/Address: FQDN or IP Address of the SecureAuth IdP / Radius Server

d. Authentication port / Accounting Port: Default ports are 1812 / 1813 respectively, but this can be changed in the SecureAuth Radius Configuration (note: Set the Accounting port to 0 if not using accounting).

Firewall

If changing ports for the RADIUS server, please be sure to check the local firewalls of both the SecureAuth IdP appliance and the VMware Horizon connection server, as well as any firewall between these endpoints.

e. Authentication Type: Must be set to PAP (at this time the SecureAuth Radius Server only supports PAP).

f. Shared Secret: Defined in the SecureAuth RADIUS Configuration, must match exactly.

g. Server Timeout: Value in seconds before the VMware Horizon connection server will timeout the Radius request (recommended 30 seconds).

h. Max Retries: Amount of times that the VMware Horizon connection server will retry after a timeout (recommend 3).

i. Realm PrefixNot used in the SecureAuth RADIUS implementation, leave blank.

j. Realm SuffixNot used in the SecureAuth RADIUS implementation, leave blank.

8. If there is a secondary RADIUS server, complete the settings for the secondary server and select Finish.

9. If there are replica Connection Servers, they can also be set up for RADIUS authentication and can re-use an existing RADIUS authenticator configuration.

Windows View Client

10. Test this from any View Client.

If possible, use Windows View Client 5.1 or newer. Older View Clients still work, but will refer to RSA SecurID in text prompts. 

Clients with RADIUS support show the appropriate token label in text prompts, which is the label configured in View for this authenticator.

Tips & Warnings

  1. After authenticating to RADIUS, the user may get another prompt if the RADIUS server responded with a supported Access Challenge. Full generic RADIUS challenge/response is not supported, but a limited access challenge for a string token code is supported.
  2. In the admin configuration of RADIUS authentication under Advanced Authentication, if Enforce 2-factor and Windows user name matching is ticked then the Windows login prompt after RADIUS authentication will force the username to be the same as the RADIUS username and the user will not be able to modify this. This feature is the same as with RSA SecurID authentication.
  3. Similarly, if Use same username and password for RADIUS and Windows authentication is ticked then the user will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication used Windows username and password. 
    1. This feature is used in cases where the initial RADIUS authentication uses Windows authentication which triggers an out-of-band transmission of a tokencode which is used as part of a RADIUS challenge. This then avoids the need for the user to re-enter the Windows username and password after RADIUS authentication.
    2. This feature will not work in Windows View clients older than 5.1.
  4. To disable RADIUS Accounting requests being sent from View, set Accounting port to 0. If the RADIUS server does not support accounting messages it will most likely ignore these, resulting in a delay in authentication while these messages are retried. Only set this port to a non-zero value if RADIUS accounting should be enabled and the RADIUS server supports it.
  5. If a Realm prefix string is specified for the authenticator, this is placed at the beginning of the username when it is sent to the RADIUS server. 
    1. Example: If the username entered in the View Client is jdoe and a Realm prefix of DOMAIN-A\ is specified, then a username of DOMAIN-A\jdoe is sent to the RADIUS server. 
    2. Similarly if a Realm suffix string of @mycorp.com is specified instead, then a username of jdoe@mycorp.com is sent to the RADIUS server.