VMware Horizon Community
mmonkman
Enthusiast
Enthusiast
‎01-09-2019 04:46 AM
Jump to solution

UAG 3.2.1 - Radius Prompts for token first

Hi,

I'm using UAG 3.2.1 for radius authenticated external connections into our Horizon 7.5.0 environment.

Does anyone know if its possible to be prompted for AD credentials first, followed by RADIUS passcode, rather than RADIUS username and passcode then AD creds?

Long story, but our users are used to being prompted this way for other systems access, so it's a big issue.

It looks like I have to setup a whole Identity Manager environment to facilitate this where you simply specify the order, ie password, Radius.


Thanks,

Matt

1 Solution

Accepted Solutions
techguy129
Expert
Expert
‎01-09-2019 10:29 AM
Jump to solution

I had the same challenge with setting up RADIUS/MFA using the UAG/Horizon. I didn't find a way around it. I wish there was better support for radius / federation in UAG.

As you mention, IDM is the route I went. With IDM (Workspace), I have it configured to auth with an 3rd party IDP. Users are sent to Shibboleth to do the authentication (MFA/AD auth). Using this method, I had to setup TrueSSO for the single signin experience.

View solution in original post

4 Replies
techguy129
Expert
Expert
‎01-09-2019 10:29 AM
Jump to solution

I had the same challenge with setting up RADIUS/MFA using the UAG/Horizon. I didn't find a way around it. I wish there was better support for radius / federation in UAG.

As you mention, IDM is the route I went. With IDM (Workspace), I have it configured to auth with an 3rd party IDP. Users are sent to Shibboleth to do the authentication (MFA/AD auth). Using this method, I had to setup TrueSSO for the single signin experience.

BenFB
Virtuoso
Virtuoso
‎01-09-2019 03:32 PM
Jump to solution

It depends on your RADIUS server and what it's configured or capable of doing. We use Duo, it first prompts for AD username/password and then the user receives a MFA push to their device/SMS/phone call.

mmonkman
Enthusiast
Enthusiast
‎01-11-2019 08:33 AM
Jump to solution

Thanks for the response. 

We use Symantec VIP for radius auth which provides a numeric token that doesn't match a users AD password, so still get challenged at the connection server end.


I'll head down the IDM route then.  Was hoping not to increase the infrastructure to support remote access to desktops but I'm sure we'll end up leveraging other features of Workspace in the future.

0 Kudos
artiman73
Enthusiast
Enthusiast
‎01-18-2023 11:36 AM
Jump to solution

Hi Ben,  We also want to use DUO for MFA to UAG and I'm having the same issue:

When I connect using the VMWare Hortizon client  it asks fist for the radius username and token (duo) instead of asking for the AD credentials, Can you share  your DUO Radius config to validate what am I missing?

thanks in advance,

 

Andy

Andres Martinez, VCP # 360, VTSP, VSP, vExpert 2010 Founder and President Virtesa Masificando la Virtualización, Preparando para la Computación en la Nube Web: http://www.virtesa.com twitter: http://www.twitter.com/andresmartinez_ Linkedin: http://www.linkedin.com/in/andresmartinez73
0 Kudos