Trying again to set up RADIUS auth on UAG 3.0 appliances (previously trying on 2.9 UAGs). We have working basic UAG ini files where we can enable RADIUS on the underlying Windows servers and everything works the way we'd like.
When we use the Windows servers to do RADIUS auth, we check this box and it's great - users enter their AD creds, are prompted for their token, and get right in to their desktop(s).
In deploying UAGs anew today and trying (again) to leverage the UAGs for RADIUS, I have the following settings in my .ini files:
[Horizon]
<snip the tunnel and blast stuff here>
authMethods=radius-auth && sp-auth
matchWindowsUserName=true
windowsSSOEnabled=true
[RADIUSAuth]
hostName=10.xx.xx.xx
authType=PAP
authPort=1812
radiusDisplayHint=ENT
Users are prompted for their AD creds, enter their token info, and then are re-prompted for their AD creds.
Should the UAG's pass the user's creds through to the Windows servers and not re-prompt for those creds before letting people in?
I ran into the same issue, and I have a ticket open with VMware support for it right now. However, I strongly suspect the answer to the question "can the UAG be configured to transparently pass the RADIUS credentials to the VCS for AD authentication?" is actually "no" and it will require a development enhancement to change it to "yes." After a bunch of testing, as far as I can tell, the "windowsSSOEnabled" configuration setting in the UAG deployment INI file means "pass the user-entered AD credentials through to the virtual desktop on the PCoIP/RDP/Blast connection" and not "pass the RADIUS credentials to the VCS so we don't have to explicitly login to AD," even though the latter is what the UAG documentation seems to suggest at first glance.
So, after some more testing, I've determined the following:
If you don't have multiple domains in your forest, just changing your authMethod to just radius-auth (rather than radius-auth && sp-auth) might do the trick for you.
There are some options for this in the reply to the other thread on this topic here - Specifying a default AD domain without filtering