Rdiaz29
Enthusiast
Enthusiast

RADIUS MFA Concerns

Hi,

I am hoping some can shed some light on this...I am currently testing an MFA (Multi Factor Authentication) solution called Dualshield. I have deployed a new View Connection Server and UAG just to test MFA authentication using RADIUS. Multi-Factor authentication has been configured only for this View Connection Server and it is working as expected. I can connect internally (to the View Connection Server) or externally (to the UAG) and I get a RADIUS prompt asking for 1) AD username and password and 2) OTP (One-Time Password). Option “Use the same user name and password for RADIUS and Windows authentication” has been configured, which means the AD creds gets passed to the next phase (the standard Horizon View login prompt that asks for AD credentials is bypassed), I can then select a Windows or Linux pool, and AD credentials get passed to the Guest OS appropriately. In summary, after the RADIUS MFA prompt, I get a single sign on experience straight to the View Desktop. Here are my concerns:

  • 1) We are only protecting the initial connection when we connect to the VDI (via View Connection Server or UAG). Once the user is on the VDI desktop, they can lock their screen and when they unlock it they will not be prompted for MFA credentials because there is no MFA agent on the desktop. Users working internally using the Teradici Zero Clients can basically log in, in the morning using their MFA credentials, and then for the rest of the day they can just lock/unlock their VDI desktop without needing to MFA (they would only need their AD password). This kind of defeats the purpose of MFA if it is only required at the beginning of the day.
  • 2) An obvious answer would be to install the MFA agent on the parent image so that all desktops ask for MFA credentials on screen unlock. However, if I do this, the single sign on experience is broken and I have to specify my MFA credentials twice: 1) At the initial RADIUS prompt and 2) at the guest OS login screen. This is definitely a no-go in my mind.

I have thinking of possible solutions to either scenarios above, but can’t come up with anything good. The ideal solution would be if I can MFA at the initial RADIUS login prompt, select my pool and get logged in straight into the desktop (just like I mentioned in bullet #1), and also be prompted for my MFA credentials every time I unlock my OS screen (just like I mentioned in bullet #2).

Is this a limitation when using RADIUS for MFA in Horizon View? Is RSA SecureID the answer? Has anyone had these concerns in their RADIUS MFA implementation and if so, how have you technically addressed them or what reasonable security justification have you come up with to accept the risk? Thank you in advance for your feedback.

Tags (2)
0 Kudos
1 Reply
popvm
Hot Shot
Hot Shot

@markbenson or  might be able to help answer this. 

0 Kudos