I am hoping some can shed some light on this...I am currently testing an MFA (Multi Factor Authentication) solution called Dualshield. I have deployed a new View Connection Server and UAG just to test MFA authentication using RADIUS. Multi-Factor authentication has been configured only for this View Connection Server and it is working as expected. I can connect internally (to the View Connection Server) or externally (to the UAG) and I get a RADIUS prompt asking for 1) AD username and password and 2) OTP (One-Time Password). Option “Use the same user name and password for RADIUS and Windows authentication” has been configured, which means the AD creds gets passed to the next phase (the standard Horizon View login prompt that asks for AD credentials is bypassed), I can then select a Windows or Linux pool, and AD credentials get passed to the Guest OS appropriately. In summary, after the RADIUS MFA prompt, I get a single sign on experience straight to the View Desktop. Here are my concerns:
I have thinking of possible solutions to either scenarios above, but can’t come up with anything good. The ideal solution would be if I can MFA at the initial RADIUS login prompt, select my pool and get logged in straight into the desktop (just like I mentioned in bullet #1), and also be prompted for my MFA credentials every time I unlock my OS screen (just like I mentioned in bullet #2).
Is this a limitation when using RADIUS for MFA in Horizon View? Is RSA SecureID the answer? Has anyone had these concerns in their RADIUS MFA implementation and if so, how have you technically addressed them or what reasonable security justification have you come up with to accept the risk? Thank you in advance for your feedback.