For two-factor authentication of end users that are internal on your corporate network, you can use RSA SecurID or RADIUS (Remote Authentication Dial-In User Service) server authentication. For two-factor authentication of end users that are external to your corporate network, you configure Unified Access Gateway to provide that authentication.

About this task

To enable two-factor authentication for end users that are connecting to their assigned resources from outside of the corporate network, you configure authentication when you deploy and configure Unified Access Gateway for use with your installed environment. For the steps on deploying and configuring Unified Access Gateway, see the Unified Access Gateway product information at www.vmware.com/support/pubs/.

To configure the settings for two-factor authentication for your end users that are connecting to their assigned resources from within your internal corporate network, use the 2Factor Authentication page in the Administration Console.

Prerequisites

Install and configure the two-factor authentication software, either the RSA SecurID software or the RADIUS software, on an authentication manager server.

When using RSA SecurID authentication, export the sdconf.rec configuration file from your RSA Authentication Manager. You upload this file when configuring RSA SecurID two-factor authentication using the Administration Console.

When using RADIUS authentication, verify you have the following required information from your RADIUS server installation. These values are required when configuring RADIUS two-factor authentication using the Administration Console.

  • RADIUS server's DNS name or IP address

  • If different from the default port of 1812, the UDP port number on which the RADIUS server is listening for RADIUS authentication

  • The authentication type, such as PAP, CHAP, MS-CHAPv1, or MS-CHAPv2

  • The shared secret

Important:

Before using the Administration Console to configure the settings for two-factor authentication using RADIUS, make sure that the Horizon Cloud Node IP address is registered as a client on the RADIUS server and auxiliary RADIUS server, if any. Go to Settings > Infrastructure to obtain the Horizon Cloud Node IP address. See Infrastructure Page for details.

Procedure

  1. In the Administration Console, select Settings > 2 Factor Auth.
  2. Click New.
  3. Select the authentication method.
  4. Configure the appropriate settings according to your selected authentication method.
    • When using RADIUS authentication:

      Setting

      Description

      Maintain Username

      Select Yes to force matching of the RADIUS user names with the user names in Active Directory. If you select Yes, the user attempting to authenticate must match the RADIUS user name. If you select No, the user name is not locked and the user can enter a different name.

      Provider Name

      (Required) Name that distinguishes the type of RADIUS authentication being used.

      Host Name / IP Address

      (Required) DNS name or IP address of the authentication server.

      Shared Secret

      (Required) Secret for communicating with the server. The value must be identical to the server-configured value.

      Authentication Port

      UDP port configured to send or receive authentication traffic. Default is 1812.

      Accounting Port

      UDP port configured to send or receive accounting traffic. Default is 1813.

      Mechanism

      Select the RADIUS authentication protocol: PAP, CHAP, MS-CHAPv1, or MS-CHAPv2.

      Server Timeout

      Number of seconds to wait for a response from the RADIUS server. Default is five seconds.

      Max number of Retries

      Maximum number of times to retry failed requests. Default is three tries.

      Realm Prefix

      Name and delimiter of realm to be prepended to the user name during authentication.

      Realm Suffix

      Name and delimiter of realm to be appended to the user name during authentication.

      Auxiliary Server

      Default is NO. If set to YES, configure the appropriate settings for a secondary RADIUS server to be used when the primary server is not responding.

    • When using RSA SecurID authentication:

      Setting

      Description

      Maintain Username

      Select Yes to force matching of the RSA SecurID user name during authentication. The user attempting to authenticate must have the same user name credentials for RSA and Domain Challenge. If you select No, the user name is not locked and the user can enter a different name.

      Upload Configuration File

      Click Select to navigate to and upload the sdconf.rec file.

  5. Click Save.

    The Test Authentication windows appears.

  6. Enter your user name and passcode in the Test Authentication dialog box, then click Test.

Results

The result depends on the outcome of the test authentication:

  • If the authentication test is successful, your configuration settings are saved to the system and users attempting to authenticate with the tenant portals will see a dialog box asking them to log in with their credentials, followed by their domain credentials.

  • If the Test Authentication credentials fail, the Test Authentication window remains open and your configuration settings are not saved. Correct the user name or passcode and try again or cancel out of the window and verify your configuration settings.