For two-factor authentication of end users that are internal on your corporate network, you can use RSA SecurID or RADIUS (Remote Authentication Dial-In User Service) server authentication. For two-factor authentication of end users that are external to your corporate network, you configure Unified Access Gateway to provide that authentication.
About this task
To enable two-factor authentication for end users that are connecting to their assigned resources from outside of the corporate network, you configure authentication when you deploy and configure Unified Access Gateway for use with your installed environment. For the steps on deploying and configuring Unified Access Gateway, see the Unified Access Gateway product information at www.vmware.com/support/pubs/.
To configure the settings for two-factor authentication for your end users that are connecting to their assigned resources from within your internal corporate network, use the 2Factor Authentication page in the Administration Console.
Install and configure the two-factor authentication software, either the RSA SecurID software or the RADIUS software, on an authentication manager server.
When using RSA SecurID authentication, export the sdconf.rec configuration file from your RSA Authentication Manager. You upload this file when configuring RSA SecurID two-factor authentication using the Administration Console.
When using RADIUS authentication, verify you have the following required information from your RADIUS server installation. These values are required when configuring RADIUS two-factor authentication using the Administration Console.
RADIUS server's DNS name or IP address
If different from the default port of 1812, the UDP port number on which the RADIUS server is listening for RADIUS authentication
The authentication type, such as PAP, CHAP, MS-CHAPv1, or MS-CHAPv2
The shared secret
Before using the Administration Console to configure the settings for two-factor authentication using RADIUS, make sure that the Horizon Cloud Node IP address is registered as a client on the RADIUS server and auxiliary RADIUS server, if any. Go to to obtain the Horizon Cloud Node IP address. See Infrastructure Page for details.
- In the Administration Console, select .
- Click New.
- Select the authentication method.
- Configure the appropriate settings according to your selected authentication method.
When using RADIUS authentication:
Select Yes to force matching of the RADIUS user names with the user names in Active Directory. If you select Yes, the user attempting to authenticate must match the RADIUS user name. If you select No, the user name is not locked and the user can enter a different name.
(Required) Name that distinguishes the type of RADIUS authentication being used.
Host Name / IP Address
(Required) DNS name or IP address of the authentication server.
(Required) Secret for communicating with the server. The value must be identical to the server-configured value.
UDP port configured to send or receive authentication traffic. Default is 1812.
UDP port configured to send or receive accounting traffic. Default is 1813.
Select the RADIUS authentication protocol: PAP, CHAP, MS-CHAPv1, or MS-CHAPv2.
Number of seconds to wait for a response from the RADIUS server. Default is five seconds.
Max number of Retries
Maximum number of times to retry failed requests. Default is three tries.
Name and delimiter of realm to be prepended to the user name during authentication.
Name and delimiter of realm to be appended to the user name during authentication.
Default is NO. If set to YES, configure the appropriate settings for a secondary RADIUS server to be used when the primary server is not responding.
When using RSA SecurID authentication:
Select Yes to force matching of the RSA SecurID user name during authentication. The user attempting to authenticate must have the same user name credentials for RSA and Domain Challenge. If you select No, the user name is not locked and the user can enter a different name.
Upload Configuration File
Click Select to navigate to and upload the sdconf.rec file.
- Click Save.
The Test Authentication windows appears.
- Enter your user name and passcode in the Test Authentication dialog box, then click Test.
The result depends on the outcome of the test authentication:
If the authentication test is successful, your configuration settings are saved to the system and users attempting to authenticate with the tenant portals will see a dialog box asking them to log in with their credentials, followed by their domain credentials.
If the Test Authentication credentials fail, the Test Authentication window remains open and your configuration settings are not saved. Correct the user name or passcode and try again or cancel out of the window and verify your configuration settings.