In this blog we are going to discuss adding Multi-Factor Authentication using Okta Verify with VMware Horizon by leveraging the Okta Radius Agent.
For more information on this integration, please see https://www.okta.com/integrations/mfa-for-virtual-desktops/vmware/
We are going to walk through 3 separate deployment options to leverage the Okta Radius Client:
- Using Workspace ONE Access (formerly known as VMware Identity Manager)
- Using Unified Access Gateway (UAG)
- Using Horizon Connection Servers
Let's start with installing and configuring the Okta Radius Agent.
Installing the Okta Radius Agent
For detailed instructions please see: https://help.okta.com/en/prod/Content/Topics/Directory/Agent_Installing_the_Okta_Radius_Agent.htm
- Download the Okta RADIUS Agent from the Okta Admin Portal by going to Settings -> Downloads
- Once downloaded, launch the installer.
- On the intro screen, click next
- Click Next accept the license agreement:
- Select the correct installation patch and click Install.
- Create a Secret that will be used when configuring the radius clients.
- If you require a proxy complete this section otherwise click next
- Click Next
- Enter your tenant name (Note: Do not enter the full URL) with the appropriate instance
- You will be redirected to your Okta tenant to Authenticate
- Click Allow Access
- You can then complete the installation.
Configure the Okta Radius Agent
The configuration for the Okta Radius Agent will be done within the Okta Admin Portal
- Click on Applications -> Applications
- Click New Application
- Search for "VMware Horizon View (RADIUS)" and Click Add
- Click Next
- Enter the UDP Port (1812)
- Enter the radius secret you used previously
- Select the correct username to match your environment.
This is a very important step. For an optimal user experience, this should match your horizon credentials. If you have multiple AD domains in your horizon environment this should include the domain (ie. UPN or EMAIL).
- Click Done
- Click on the VMware Horizon View (RADIUS) application.
- Click Edit for the Advanced Radius Settings
- If you want to enable PUSH Notification, make sure the top two boxes are checked
Using Workspace ONE Access (formerly known as VMware Identity Manager)
- In the Workspace ONE Access Admin Console, go to Identity & Access Management -> Setup -> Connectors
- Click on your Worker to edit your connector configuration
- Click on Auth Adapters
- Click on the Radius Auth Adapter
- This will launch a configuration page running on your connector server.
You will need connectivity to your connector server to complete this step.
If you are presented an access denied page you might need to temporary change your policy to Password. Add your Radius Server Host name, Port and Shared Secret. (Leave the Authentication Type as PAP)
- Click Save
- Return to the WS1 Access Admin Console and verify the Radius Auth Method is enabled. (You might need to refresh)
- Go to Identity & Access Management
- Click on Identity Providers
- Click on your Built-In Identity Provider
- Under Connector Authentication Methods, select Radius (Cloud Deployment)
- Click Save
- Click on Policies
- Edit your appropriate policy to include "Radius (cloud deployment)". In my example, I'm modifying the Win10 rule in the Default Policy.
- Click Save, Next and Save.
- Open an Incognito Window and we'll test the configuration
Note: If you ever lock yourself out, you can always go to: https://[TENANT].vmwareidentity.com/SAAS/auth/0 to login using your System Domain Account.
- You will be prompted to enter your Okta Credentials
- You should be prompted to approve the authentication on your Okta Verify Application
Using Unified Access Gateway (UAG)
In environments where a Unified Access Gateway is deployed, most customers will typically want to configure MFA here as this appliance typically sits on the network edge. We can configure UAG to prompt for MFA using Okta Verify and then pass the credentials to Horizon to complete the authentication into the view client.
Note: If you have multiple AD domains, you will need to ensure your login through Okta contains the domain name (ie. UPN/Email).
- Log into your UAG Admin Console
- Under Authentication Settings, click the gear icon for RADIUS
- Enable RADIUS, Select PAP and enter the host name and port for the Okta Radius Agent.
- Click Save
- Expand Edge Service Settings and edit the Horizon Settings
- Click on "More" (at the bottom)
- Under Auth Methods, select radius-auth
- You will also need to enable "Enable Windows SSO" to prevent a subsequent login into the horizon client.
- Click Save
- Test your configuration by logging into the Horizon Portal. You will be prompted for your Okta username and password
- You will then be prompted to approve the Okta Verify request on your device.
Using Horizon Connection Servers
Radius can be configured directly on the Horizon Connection Servers. This allows for MFA to be configured for both internal and external users (assuming internal users are not going through UAG).
Note: If you have multiple AD domains, you will need to ensure your login through Okta contains the domain name (ie. UPN/Email).
- Log into your Horizon Admin console
- Edit your Connection Server Settings
- Under Advanced Authentication, select Radius
- Select "Use the same username and password for RADIUS and Windows Authentication
- On the Authenticator drop down, select Create New Authenticator
- Enter your host name, port and secret for the Okta Radius Agent
- Click OK
- Click OK.
- Test your configuration by logging into the Horizon Portal. You will be prompted for your Okta username and password
- You will then be prompted to approve the Okta Verify request on your device.