VMware Horizon Community
GhinguskhanD1
Contributor
Contributor
Jump to solution

Unified Access Gateway: Radius Configuration

Hi all, can i ask for some assistance in getting 2 Factor authentication working using UAG. These are the steps i have taken to configure UAG and Connection Servers

1. Connection Servers

1.1 Installed Connection Servers

1.2 Connection Server Settings - Disabled Secure Tunnel Settings

1.3 Connection Server Settings - 2 - Factor Authentication Disabled

1.4 Connection Server File Level Config - disabled Origin Check

TEST - Created Pool and Provisioned VMs Sucecsfully

TEST - Entered Connection Server name into Web Browser and presented with Horizon HTML Access screen succesfully

TEST - Connected to VM via HTML access succesfully 

Single Factor Authentication Method used in the above scenario

2.  UAG

2.1 Deployed UAG

2.2 Updated Time Zone

2.3 Configurd Horizon Settings

TEST: Entered UAG name into Web Browser and presented with Horizon HTML Access screen succesfully

TEST - Connected to VM via HTML access successfully 

Single Factor Authentication Method used in the above scenario

3. Radius Server

3.1 Added an entry for UAG into RADIUS Server and created shared secret [saved config]

4. UAG

4.1 Configured RADIUS authentications settings (including shared password)

4.2 Saved Settings

TEST: Entered UAG name into Web Browser, no passcode login screen presented. Only Username and Password required to log in. Entered my user credentials and succesfully managed to access my VM

PROBLEM: Single Authentication method used in the above scenario. Expected 2 Factor (passcode, username and password)

Its my understanding that when a user signs in and RADIUS authentication is enabled, a special login dialog box appears in the browser. The user enters their RADIUS authentication user name and passcode. However in my scenario, the "special login" is not appearing

Can anyone point me in the right direction?

Connection Server Settings:-

Connection Server - General .png

Connection Server - Advanced Authentication .png

Connection Server - File Level Config .png

UAG RADIUS Settings

Radius.png

RADIUS Server

Radius Server.png

Tags (1)
Reply
0 Kudos
1 Solution

Accepted Solutions
ArnoM
Enthusiast
Enthusiast
Jump to solution

Not very clear to me...did you also enable RADIUS on the connection server?

Blog: https://arnomeijroos.com/ Twitter: @ACMeijroos

View solution in original post

Reply
0 Kudos
9 Replies
ArnoM
Enthusiast
Enthusiast
Jump to solution

Not very clear to me...did you also enable RADIUS on the connection server?

Blog: https://arnomeijroos.com/ Twitter: @ACMeijroos
Reply
0 Kudos
GhinguskhanD1
Contributor
Contributor
Jump to solution

Hi ArnoM

Thank you for responding. I have tried to add more detail to my question above,

In response to your question, i have not enabled RADIUS on the connection server/s.

I thought the RADIUS element would be handled by the UAG box, as in; it talks directory to the RADIUS server. Once the user has entered a passcode successfully then the user will be asked for a Username and Password to connect them to the connection servers where they will be offered a VM. Please correct me, if i'm wrong in my assumption.

Reply
0 Kudos
GhinguskhanD1
Contributor
Contributor
Jump to solution

HI ArnoM,

Enabled RADIUS on the Connection servers that will receive external connection requests and on the UAG.

And.....hey presto its all working as expected Smiley Happy

Thank you

Reply
0 Kudos
ArnoM
Enthusiast
Enthusiast
Jump to solution

No problem, thanks for the feedback.

Blog: https://arnomeijroos.com/ Twitter: @ACMeijroos
Reply
0 Kudos
ChrisGe
Contributor
Contributor
Jump to solution

Hi ArnoM,

I've the same problem as GhinguskhanD1. Can you explain why you also have to configure the Connection Server for RADIUS?

Authentication should be done on the UAG (in DMZ) and not in the internal Network (CS) in my opinion.

Regards,

ChrisGe

Reply
0 Kudos
tjbailey
Enthusiast
Enthusiast
Jump to solution

We experience the same thing and a little confused as to why RADIUS needs to be setup at the Connection server especially when VMware it touting that you no longer need to pair anything with the Connection server.  We don't want internal users to be prompted for multi factor when the Connection servers are used for both internal and external traffic.

Reply
0 Kudos
BenFB
Virtuoso
Virtuoso
Jump to solution

RADIUS only needs to be configured on the UAG and should not also be configured on the connection server (We have this deployed and working with two UAG behind a load balancer). It sounds like something isn't configured correctly on the UAG.

Can you verify on the UAG that "Auth Methods" is set to "radius-auth" under Edge Service Settings>Horizon Settings>More. Also verify that "Enable RADIUS" is set to "Yes" under Authentication Settings>RADIUS.

If you are doing a two NIC deployment the RADIUS traffic will originate from the internal/management NIC. Verify that you have the firewall configured appropriately.

Reply
0 Kudos
tjbailey
Enthusiast
Enthusiast
Jump to solution

Yeah, I definitely feel like an idiot.  I didn't realize there was the "Auth Methods" dropdown within "Horizon Settings".  Within the VMware documentation I went through only the "Configure RADIUS Authentication" settings assuming that once "RADIUS" was configured it got enabled...not so.

Reply
0 Kudos
ChuckS42
Enthusiast
Enthusiast
Jump to solution

Yea, no. That's not right. You enable RADIUS either on the UAG, or on the Connection server, not both.

Reply
0 Kudos