VMware Horizon 8 RADIUS Integration
Last updated
Last updated
This guide explains the configuration of multi-factor authentication (MFA) for VMware Horizon 8 utilizing Mirket as the identity provider. Prior configuration and deployment of VMware Horizon 8 are required before setting up MFA with Mirket.
VMware Horizon 8 firewall offers various MFA configuration modes. In this integration, we've configured RADIUS authentication with Mirket.
Before proceeding with these procedures, ensure the following:
You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).
Horizon Connection Server is connected to vCenter Server.
The vCenter Server directs a Virtual Machine installed with the Horizon Agent.
Within this setup, the Horizon Connection Server has published one or more applications accessible on the Virtual Machine with the Horizon Agent installed.
With a user account existing in the Active Directory domain, you can log in to the Connection Server using the Horizon Client and access published applications.
Access the Horizon Console with an administrator account.
Go to Settings > Servers > Connection Servers from the menu. Then choose the existing connection server.
Click on Edit. Select the Authentication tab. Then choose the RADIUS option from the 2-factor authentication dropdown list under the Advanced Authentication section.
Check the "Enforce 2-factor and Windows user name matching" and "Use the same user name and password for RADIUS and Windows authentication" checkboxes.
Choose the Create New Authenticator option from the Authenticator dropdown list.
Enter an authenticator name in the Authenticator Name field. In this instance, enter the authenticator name as "Mirket".
Click on Next. Input the IP address or host FQDN of the server where the Mirket is installed in the Hostname/Address field.
Input "1812" in the Authentication Port field. Then input "0" in the Accounting Port field.
Choose the "PAP" option from the Authentication Type dropdown list.
Input "60" in the Server Timeout field. Then input "5" in the Max Attempts field.
Keep the remaining settings as default values.
Then click on Next and click on Finish to confirm settings.
Click on OK to confirm settings.
To enable Mirket to receive authentication requests from Horizon Connection Server, follow these steps:
Define Horizon Connection Server client as a RADIUS client resource within Mirket.
Create an authentication policy for the Horizon Connection Server RADIUS client resource or include it in an existing authentication policy.
Attach the Horizon Connection Server resource to the Mirket Radius.
Before starting, ensure that you have installed NPS (Network Policy Server) from Server Manager. Once installed, open the Network Policy Server. To add a Radius Client to the NPS, follow these steps:
Click on the 'Radius Clients and Server' folder and select the 'Configure Radius Clients' option.
Hover over the 'Radius Clients' option, right-click using the mouse, and select New.
In the window that appears, assign a name to your Radius Client in the Friendly Name section.
Enter the IP address of your firewall in the Address (IP or DNS) section.
Select either the 'Manual' or 'Generate' option to enter your secret key in the Secret Key section.
Click OK to confirm settings.
To set up multifactor authentication, make sure you have at least one user group in Mirket.
If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.
If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.
Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).
First, you should follow these steps:
Select Rules > Radius Rules.
Click on Add New.
Enter a rule name in the Name field.
Enter the rule description in the Description field.
Select the group to which the rule applies from the Group dropdown list.
Select the provider to which the rule applies from the Provider dropdown list.
Select the authorization profile to which the rule applies from the Authorization dropdown list.
Click on Save to confirm settings.
To validate the integration between Mirket MFA and your VMware Horizon 8, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.
In this example, we illustrate the use of the Approve/Deny authentication method.
Launch VMware Horizon Client.
Connect to Horizon Connection Server external FQDN.
Enter your Mirket username and your password.
Input your password in the Password field.
Click on Login. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.
Input a shared secret key to communicate with the RADIUS server (Mirket Radius) in the Shared Secret field. In Mirket use this same secret key when .
