Me again :smileylaugh:
So I've successfully done 2FA with Radius and Connection server authentication in the past. I'm doing another one now with a different Radius solution which unlike previous ones requires the AD authentication first with Radius second. This is because upon successfuly AD authentication an SMS is sent to the authenticating user's phone with the OTP which they can then enter on the next prompt.
This basically means that sp-auth needs to be followed by radius-auth., but this doesn't seem possible:
Can these be swapped around?
Yes, you basically configure Unified Access Gateway (formerly called Access Point) just for RADIUS authentication (radius-auth and sp-auth). The user is prompted for their passcode (which in your case is initially the AD password) and this is then sent to the RADIUS server for validation and for it then to generate the code sent via SMS. The next prompt is for this code which is handled as a RADIUS challenge. Both of these steps happen within the RADIUS authentication part even though the user enters their AD password initially. This is because the RADIUS server requires the password first.
After this, there is an option in UAG to use the same password for the subsequent prompt required by Horizon Connection Server as part of sp-auth (server pass-through authentication). This means the user isn't then prompted a second time for their password.
It's been a while since we set this up and have only been using the App where the steps are:
User types in User name
User generates a OTP on the mobile App
User enters OTP and selects OK
User Enters AD password
User is successfully logged in
This is all using the setting 'radius-auth' on it's own (I believe the RADIUS server caches the AD credentials) and it works fine.
We also have a bunch of tokens/user on the same solution that do not use the app, they use the SMS method explained previously. Will these co-exist? I don't see how from your explanation that UAG/RADIUS will know that in the user doesn't have a passcode yet and will fallback to the AD password in the first instance. We haven't been able to get the SMS method working yet, nothing seems to happen,