VMWare Horizon Unified Access Gateway

How to configure VMWare Horizon Unified Access Gateway with RADIUS

Overview

You can use Groove.id to provide multi-factor authentication on VMWare Horizon Unified Access Gateway appliances. In this configuration the Groove.id RADIUS proxy will forward RADIUS requests from the appliance to Groove.id. Users will use the headless signin mode where they can use either mobile push notifications or receive a voice call to authenticate, if enabled.

Configuring Groove.id

  1. In your Groove.id console (e.g. signin.example.com/setup) navigate to Apps.

  2. Create a new RADIUS application.

  3. Following the directions provided, download the Groove.id agent to your Unified Access Gateway appliance. If you have more than one appliance, you’ll need to perform this step on each Unified Access Gateway appliance.

Configure the RADIUS proxy

The grooveid RADIUS listening locally on udp/1812 and will forward authentication requests from the Unified Access Gateway to the Groove.id

  1. Copy the token from the Groove.id console and place it in /etc/grooveid/radius.env on the Unified Access Gateway appliance.
   # mkdir /etc/grooveid
   # echo "GROOVEID_RADIUS_TOKEN=your-token-goes-here" > /etc/grooveid/radius.env
  1. Arrange for the radius proxy to start automatically when the service starts by installing a systemd service. Enter the following as root on the Unified Access Gateway appliance:
    # cat <<EOF >"/etc/systemd/system/grooveid-radius.service"

    [Unit]
    Description=grooveid-radius

    [Service]
    User=nobody
    EnvironmentFile=/etc/grooveid/radius.env
    WorkingDirectory=-/
    Restart=always
    ExecStart=/usr/local/bin/grooveid radius --listen=127.0.0.1:1812 --token \$GROOVEID_RADIUS_TOKEN

    [Install]
    WantedBy=multi-user.target
    EOF

    # systemctl enable grooveid-radius.service

    # systemctl start grooveid-radius.service

If you upgrade or replace the Unified Access Gateway appliance, or if you have more than one appliance, repeat these steps on each one.

Configure the Unified Access Gateway

First, you’ll need to obtain a shared secret from the Groove.id console. If there is no shared secret displayed, press the Set Secret button.

Following the VMWare documentation, configure the Unified Access Gateway to use RADIUS.

  1. In the admin UI Configure Manually section, click Select.

  2. In the General Settings Authenticating Settings section, click Show.

  3. Click the gearbox in the RADIUS line.

  4. Apply the following settings

| Setting | Value | | —————————————– | ————————————————————————————————————————— | | Enable RADIUS | yes | | Name | radius-auth | | Authentication type | PAP | | Shared secret | copy the shared secret from the Groove.id console | | Number of Authentication attempts allowed | configure as desired | | Number of attempts to RADIUS server | 3 | | Server Timeout in Seconds | 120 (this value must be fairly long because we’ll be waiting for the user to acknowledge a notification on their phone) | | Radius Server Host name | 127.0.0.1 | | Authentication Port | 1812 | | Realm Prefix | leave empty | | Realm Suffix | leave empty | | Name Id Suffix | leave empty | | Login page passphrase hint | leave empty | | Enable basic MS-CHAPv2 validation | no | | Enable secondary server | no |

  1. Press Save.
Last modified May 12, 2020: refactor docs (d7a7a5c1d)