You enable a Connection Server instance for RSA SecurID authentication or RADIUS authentication by modifying Connection Server settings in Horizon Administrator.
Prerequisites
Install and configure the two-factor authentication software, such as the RSA SecurID software or the RADIUS software, on an authentication manager server.
- For RSA SecurID authentication, export the sdconf.rec file for the Connection Server instance from RSA Authentication Manager. See the RSA Authentication Manager documentation.
- For RADIUS authentication, follow the vendor's configuration documentation. Make a note of the RADIUS server's host name or IP address, the port number on which it is listening for RADIUS authentication (usually 1812), the authentication type (PAP, CHAP, MS-CHAPv1, or MS-CHAPv2) and the shared secret. You will enter these values in Horizon Administrator. You can enter values for a primary and a secondary RADIUS authenticator.
Procedure
- In Horizon Administrator, select .
- On the Connection Servers tab, select the server and click Edit.
- On the Authentication tab, from the 2-factor authentication drop-down list in the Advanced Authentication section, select RSA SecureID or RADIUS.
- To force RSA SecurID or RADIUS user names to match user names in Active Directory, select Enforce SecurID and Windows user name matching or Enforce 2-factor and Windows user name matching.
If you select this option, users must use the same RSA SecurID or RADIUS user name for Active Directory authentication. If you do not select this option, the names can be different.
- For RSA SecurID, click Upload File, type the location of the sdconf.rec file, or click Browse to search for the file.
- For RADIUS authentication, complete the rest of the fields:
- Select Use the same username and password for RADIUS and Windows authentication if the initial RADIUS authentication uses Windows authentication that triggers an out-of-band transmission of a token code, and this token code is used as part of a RADIUS challenge.
If you select this check box, users will not be prompted for Windows credentials after RADIUS authentication if the RADIUS authentication uses the Windows username and password. Users do not have to reenter the Windows username and password after RADIUS authentication.
- From the Authenticator drop-down list, select Create New Authenticator and complete the page.
- Click OK to save your changes.
You do not need to restart the Connection Server service. The necessary configuration files are distributed automatically and the configuration settings take effect immediately.
Results
When users open
Horizon Client and authenticate to Connection Server, they are prompted for two-factor authentication. For RADIUS authentication, the login dialog box displays text prompts that contain the token label you specified.
Changes to RADIUS authentication settings affect remote desktop and application sessions that are started after the configuration is changed. Current sessions are not affected by changes to RADIUS authentication settings.
What to do next
If you have a replicated group of Connection Server instances and you want to also set up RADIUS authentication on them, you can re-use an existing RADIUS authenticator configuration.