LukaszDziwisz
Hot Shot
Hot Shot

VMware UAG 2111 with MFA breaks IOS, Chromebook and Android Clients

Hello Everyone,

 

After upgrading to UAG 2111 to address the famous vulnerability we are getting multiple reports of Horizon Client not working and getting Access Denied on MFA prompt. We are using OKta as a Radius agent. It appears that any Horizon Client 2111 on any platform doesn't work with MFA. If downgraded to 2106 on Windows or MacOS then it works again but for mobile devices it is not an option. 

Is anybody experiencing the same thing? 

 

Looks like DUO reported the issue even before UAG 2111 was available to everyone 

https://www.stephenwagner.com/2021/12/02/duo-mfa-radius-issues-with-vmware-horizon-8-version-2111-ua...

 

Any help would be appreciated

Labels (2)
Tags (3)
0 Kudos
2 Replies
yqowen
VMware Employee
VMware Employee

Hi @LukaszDziwisz , would you please confirm that the MFA (RSA or Radius) was enabled on Horizon Connection Server or UAG?

Thanks.

0 Kudos
LukaszDziwisz
Hot Shot
Hot Shot

Yes it is and this appears to be a culprit to the issue. Just got off the phone with VMware and we will be implementing a workaround of Disabling Client Encryption on UAG in Horizon Settings. After doing that it appears that all clients work just fine. It's a new feature that was introduced in 2111.

This issue is caused by a defect in UAG versions 2111(.x) relating to new functionality introduced to support additional encryption of particular credential values from Horizon client versions 2111 and newer. It only occurs with this combination of UAG and Horizon Client versions and only occurs when using UAG in passthrough authentication mode and when Connection Server is configured for RADIUS or RSA SecurID.

 

Looks like we will need to move our Radius to UAG at some point in time instead of keeping it on Connection Server

 

For now the workaround works. Thank you everyone for your assistance

0 Kudos