VMWare Horizon Unified Access Gateway via RADIUS

Overview

You can use Groove.id to provide multi-factor authentication on VMWare Horizon Unified Access Gateway appliances. In this configuration the Groove.id RADIUS proxy will forward RADIUS requests from the appliance to Groove.id. Users will use the headless signin mode where they can use either mobile push notifications or receive a voice call to authenticate, if enabled.

Configuring Groove.id

  1. In your Groove.id console (e.g. signin.example.com/setup) navigate to Apps.

  2. Create a new RADIUS application.

  3. Following the directions provided, download the Groove.id agent to your Unified Access Gateway appliance. If you have more than one appliance, you’ll need to perform this step on each Unified Access Gateway appliance.

Configure the RADIUS proxy

The grooveid RADIUS listening locally on udp/1812 and will forward authentication requests from the Unified Access Gateway to the Groove.id

  1. Copy the token from the Groove.id console and place it in /etc/grooveid/radius.env on the Unified Access Gateway appliance.

    # mkdir /etc/grooveid
    # echo "GROOVEID_RADIUS_TOKEN=your-token-goes-here" > /etc/grooveid/radius.env
    
  2. Arrange for the radius proxy to start automatically when the service starts by installing a systemd service. Enter the following as root on the Unified Access Gateway appliance:

    
    

cat <”/etc/systemd/system/grooveid-radius.service”

[Unit] Description=grooveid-radius

[Service] User=nobody EnvironmentFile=/etc/grooveid/radius.env WorkingDirectory=-/ Restart=always ExecStart=/usr/local/bin/grooveid radius –listen=127.0.0.1:1812 –token \$GROOVEID_RADIUS_TOKEN

[Install] WantedBy=multi-user.target EOF

systemctl enable grooveid-radius.service

systemctl start grooveid-radius.service


If you upgrade or replace the Unified Access Gateway appliance, or if you have more than one appliance, repeat these steps on each one.

## Configure the Unified Access Gateway

First, you'll need to obtain a shared secret from the Groove.id console. If there
is no shared secret displayed, press the **Set Secret** button.

Following the [VMWare documentation](https://docs.vmware.com/en/Unified-Access-Gateway/3.4/com.vmware.uag-34-deploy-config.doc/GUID-F16480E2-2079-4859-AE5B-8CC4DA266898.html), configure the Unified Access Gateway to use RADIUS.

1. In the admin UI Configure Manually section, click Select.

1. In the General Settings Authenticating Settings section, click Show.

1. Click the gearbox in the RADIUS line.

1. Apply the following settings

     Setting         | Value
     ----------------|-----------------
     Enable RADIUS   | **yes**
     Name            | **radius-auth**
     Authentication type | **PAP**
     Shared secret | *copy the shared secret from the Groove.id console*
     Number of Authentication attempts allowed | *configure as desired*
     Number of attempts to RADIUS server | **3**
     Server Timeout in Seconds | **120** (this value must be fairly long because we'll be      waiting for the user to acknowledge a notification on their phone)
     Radius Server Host name | **127.0.0.1**
     Authentication Port | **1812**
     Realm Prefix | *leave empty*
     Realm Suffix | *leave empty*
     Name Id Suffix | *leave empty*
     Login page passphrase hint | *leave empty*
     Enable basic MS-CHAPv2 validation | **no**
     Enable secondary server | **no**

1. Press **Save**.