Skip navigation
2019

In this blog we are going to discuss adding Multi-Factor Authentication using Okta Verify with VMware Horizon by leveraging the Okta Radius Agent.

For more information on this integration, please see https://www.okta.com/integrations/mfa-for-virtual-desktops/vmware/

 

We are going to walk through 3 separate deployment options to leverage the Okta Radius Client:

 

  1. Using Workspace ONE Access (formerly known as VMware Identity Manager)
  2. Using Unified Access Gateway (UAG)
  3. Using Horizon Connection Servers

 

Let's start with installing and configuring the Okta Radius Agent.

 

Installing the Okta Radius Agent

For detailed instructions please see: https://help.okta.com/en/prod/Content/Topics/Directory/Agent_Installing_the_Okta_Radius_Agent.htm

 

  1. Download the Okta RADIUS Agent from the Okta Admin Portal by going to Settings -> Downloads
    Screen Shot 09-06-19 at 03.11 PM.PNG
  2. Once downloaded, launch the installer.
  3. On the intro screen, click next
  4. Click Next accept the license agreement:
  5. Select the correct installation patch and click Install.
  6. Create a Secret that will be used when configuring the radius clients.
    Screen Shot 09-06-19 at 03.13 PM 003b.png
  7. If you require a proxy complete this section otherwise click next
  8. Click Next
  9. Enter your tenant name (Note: Do not enter the full URL) with the appropriate instance
    Screen Shot 09-06-19 at 03.19 PM 001.PNG
  10. You will be redirected to your Okta tenant to Authenticate
    Screen Shot 09-06-19 at 03.19 PM.PNG
  11. Click Allow Access
    Screen Shot 09-06-19 at 03.20 PM.PNG
  12. You can then complete the installation.

 

Configure the Okta Radius Agent

 

The configuration for the Okta Radius Agent will be done within the Okta Admin Portal

 

  1. Click on Applications -> Applications
  2. Click New Application
  3. Search for "VMware Horizon View (RADIUS)" and Click Add
  4. Click Next
  5. Enter the UDP Port (1812)
  6. Enter the radius secret you used previously
  7. Select the correct username to match your environment.
    This is a very important step. For an optimal user experience, this should match your horizon credentials. If you have multiple AD domains in your horizon environment this should include the domain (ie. UPN or EMAIL).
  8. Click Done
  9. Click on the VMware Horizon View (RADIUS) application.
  10. Click Edit for the Advanced Radius Settings
  11. If you want to enable PUSH Notification, make sure the top two boxes are checked

 

Using Workspace ONE Access (formerly known as VMware Identity Manager)

 

  1. In the Workspace ONE Access Admin Console, go to Identity & Access Management -> Setup -> Connectors
  2. Click on your Worker to edit your connector configuration
  3. Click on Auth Adapters
  4. Click on the Radius Auth Adapter
  5. This will launch a configuration page running on your connector server.
    You will need connectivity to your connector server to complete this step.
    If you are presented an access denied page you might need to temporary change your policy to Password.
  6. Add your Radius Server Host name, Port and Shared Secret. (Leave the Authentication Type as PAP)
    Screen Shot 09-10-19 at 10.08 AM.PNG

  7. Click Save
  8. Return to the WS1 Access Admin Console and verify the Radius Auth Method is enabled. (You might need to refresh)
  9. Go to Identity & Access Management
  10. Click on Identity Providers
  11. Click on your Built-In Identity Provider
  12. Under Connector Authentication Methods, select Radius (Cloud Deployment)
  13. Click Save
  14. Click on Policies
  15. Edit your appropriate policy to include "Radius (cloud deployment)". In my example, I'm modifying the Win10 rule in the Default Policy.
    Screen Shot 09-10-19 at 10.15 AM.PNG
  16. Click Save, Next and Save.
  17. Open an Incognito Window and we'll test the configuration
    Note: If you ever lock yourself out, you can always go to: https://[TENANT].vmwareidentity.com/SAAS/auth/0 to login using your System Domain Account.
  18. You will be prompted to enter your Okta Credentials
  19. You should be prompted to approve the authentication on your Okta Verify Application
    Apowersoft_Screenshot_2019_09_10_13_30_12.jpg

Using Unified Access Gateway (UAG)

 

In environments where a Unified Access Gateway is deployed, most customers will typically want to configure MFA here as this appliance typically sits on the network edge. We can configure UAG to prompt for MFA using Okta Verify and then pass the credentials to Horizon to complete the authentication into the view client.

 

Note: If you have multiple AD domains, you will need to ensure your login through Okta contains the domain name (ie. UPN/Email).

 

  1. Log into your UAG Admin Console
  2. Under Authentication Settings, click the gear icon for RADIUS
  3. Enable RADIUS, Select PAP and enter the host name and port for the Okta Radius Agent.
  4. Click Save
  5. Expand Edge Service Settings and edit the Horizon Settings
  6. Click on "More" (at the bottom)
  7. Under Auth Methods, select radius-auth
  8. You will also need to enable "Enable Windows SSO" to prevent a subsequent login into the horizon client.
  9. Click Save
  10. Test your configuration by logging into the Horizon Portal. You will be prompted for your Okta username and password
    Screen Shot 09-10-19 at 02.09 PM.PNG
  11. You will then be prompted to approve the Okta Verify request on your device.

 

 

Using Horizon Connection Servers

 

Radius can be configured directly on the Horizon Connection Servers. This allows for MFA to be configured for both internal and external users (assuming internal users are not going through UAG).

 

Note: If you have multiple AD domains, you will need to ensure your login through Okta contains the domain name (ie. UPN/Email).

 

  1. Log into your Horizon Admin console
  2. Edit your Connection Server Settings
  3. Under Advanced Authentication, select Radius
  4. Select "Use the same username and password for RADIUS and Windows Authentication
  5. On the Authenticator drop down, select Create New Authenticator
  6. Enter your host name, port and secret for the Okta Radius Agent
    Screen Shot 09-10-19 at 01.41 PM.PNG
  7. Click OK
  8. Click OK.
  9. Test your configuration by logging into the Horizon Portal. You will be prompted for your Okta username and password
  10. You will then be prompted to approve the Okta Verify request on your device.