VMWare Horizon Unified Access Gateway

How to configure VMWare Horizon Unified Access Gateway with RADIUS

Overview

You can use Groove.id to provide multi-factor authentication on VMWare Horizon Unified Access Gateway appliances. In this configuration the Groove.id RADIUS proxy will forward RADIUS requests from the appliance to Groove.id. Users will use the headless signin mode where they can use either mobile push notifications or receive a voice call to authenticate, if enabled.

Configuring Groove.id

  1. In your Groove.id console (e.g. signin.example.com/setup) navigate to Apps.

  2. Create a new RADIUS application.

  3. Following the directions provided, download the Groove.id agent to your Unified Access Gateway appliance. If you have more than one appliance, you’ll need to perform this step on each Unified Access Gateway appliance.

Configure the RADIUS proxy

The grooveid RADIUS listening locally on udp/1812 and will forward authentication requests from the Unified Access Gateway to the Groove.id

  1. Copy the token from the Groove.id console and place it in /etc/grooveid/radius.env on the Unified Access Gateway appliance.

    # mkdir /etc/grooveid
    # echo "GROOVEID_RADIUS_TOKEN=your-token-goes-here" > /etc/grooveid/radius.env
    
  2. Arrange for the radius proxy to start automatically when the service starts by installing a systemd service. Enter the following as root on the Unified Access Gateway appliance:

     # cat <<EOF >"/etc/systemd/system/grooveid-radius.service"
    
     [Unit]
     Description=grooveid-radius
    
     [Service]
     User=nobody
     EnvironmentFile=/etc/grooveid/radius.env
     WorkingDirectory=-/
     Restart=always
     ExecStart=/usr/local/bin/grooveid radius --listen=127.0.0.1:1812 --token \$GROOVEID_RADIUS_TOKEN
    
     [Install]
     WantedBy=multi-user.target
     EOF
    
     # systemctl enable grooveid-radius.service
    
     # systemctl start grooveid-radius.service
    

If you upgrade or replace the Unified Access Gateway appliance, or if you have more than one appliance, repeat these steps on each one.

Configure the Unified Access Gateway

First, you’ll need to obtain a shared secret from the Groove.id console. If there is no shared secret displayed, press the Set Secret button.

Following the VMWare documentation, configure the Unified Access Gateway to use RADIUS.

  1. In the admin UI Configure Manually section, click Select.

  2. In the General Settings Authenticating Settings section, click Show.

  3. Click the gearbox in the RADIUS line.

  4. Apply the following settings

    Setting Value
    Enable RADIUS yes
    Name radius-auth
    Authentication type PAP
    Shared secret copy the shared secret from the Groove.id console
    Number of Authentication attempts allowed configure as desired
    Number of attempts to RADIUS server 3
    Server Timeout in Seconds 120 (this value must be fairly long because we’ll be waiting for the user to acknowledge a notification on their phone)
    Radius Server Host name 127.0.0.1
    Authentication Port 1812
    Realm Prefix leave empty
    Realm Suffix leave empty
    Name Id Suffix leave empty
    Login page passphrase hint leave empty
    Enable basic MS-CHAPv2 validation no
    Enable secondary server no
  5. Press Save.

Last modified May 12, 2020: refactor docs (393857667)