Horizon with 2FA Google Authenticator-RADIUS

on

Overview

This topic covers deploying and integrating RADIUS with Google Authenticator as a 2-form factor authentication on VMware Horizon environment.

Special thanks to my colleague, Eric Monjoin, assisted and guided me on how to setup this integration. He was the author of this public document in year 2015. A few years has passed so there are some updates to it.

Note: The guides explained in this post are experimented in a LAB environment.

Environment Setup

  1. Ubuntu version 18.04.04 LTS (GNU/Linux 4.15.0-76-generic x86_64
  2. VMware Horizon version 7.11
  3. VMware UAG version 3.8

Radius Server Configuration

  1. Register the RADIUS server IP address in your DNS forward and reverse lookup.

  2. Deploy a virtual machine with Ubuntu operating system. Make sure VMtools are installed and running.
    Note: The virtual machine specifications below are LAB experimented specification.

  3. Once the Ubuntu operating system is up and running, make sure the you are able to ping the IP address and hostname FQDN.

  4. Check hosts file in the RADIUS server has been properly configured with the virtual machine IP address and FQDN.
    #vim /etc/hosts

  5. Update your RADIUS server's Ubuntu operating system. Login as root and run the following command.
    #apt-get update
    #apt-get dist-upgrade

  6. Install NTP service on the RADIUS server to ensure time synchronization.
    #apt-get install ntp

    Configure the RADIUS server's source NTP server by adding it into ntp.conf file. In my example, my primary domain controller is the NTP source.
    #vim /etc/ntp.conf


    Restart the NTP service to apply changes.
    #systemctl restart ntp
    Check NTP service status

    #systemctl status ntp



    Run ntpq command to list the NTP time synchronization queue
    #ntpq -p

    or

     #ntpq -pn



  7. Download and install PowerBroker Identity Service (PBIS). PBIS allows the RADIUS Server's Ubuntu operating system to join domain and allow domain account authentication.

    #wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh

    Once download complete, make the file executeable

    #chmod u+x pbis-open-9.1.0.551.linux.x86_64.deb.sh 

     Execute and install the PBIS

     #./pbis-open-9.1.0.551.linux.x86_64.deb.sh
  8. Join the RADIUS server to your domain.

    #domainjoin-cli join [domain name] [domain account]

    The [domain account] is an account with “Add Computers Account” Active Directory privilege . 

    Once completed, check the computer object is created in the Active Directory.

    If you have only one domain (no child domains), you can change the PBIS configuration to login without specifying your domain name at the login prompt but just your login name. Type the command to change it.

    #domainjoin-cli join --assumeDefaultDomain Yes 

    After that, reboot the Ubuntu operating system.


  9. Test login to the RADIUS server's Ubuntu operating system using your domain account (without specifying the domain name).

  10. Login back to root and install Google Authenticator

    #apt-get install libpam-google-authenticator libqrencode3


  11. Install Freeradius to become a RADIUS server.

    #apt-get install freeradius
  12. After freeradius installation finished, edit /etc/freeradius/3.0/radiusd.conf file and change the following from freerad to root
  13. Next we edit this file /etc/freeradius/3.0/users and modify the section ”Deny access for a group of users”

    To disable an account to login using RADIUS, we can configure RADIUS to search for a specific security group in the Active Directory and prevent login from any users that is inside this security group.

    The security group example below is = GG_S_GOOGLE_AUTH_DISABLE

    DEFAULT Group == "GG_S_GOOGLE_AUTH_DISABLED", Auth-Type := Reject
    Reply-Message = “Your account has been disabled.

    And add the line for the default authentication type.
    DEFAULT Auth-Type := PAM
  14. Next,  edit the file /etc/freeradius/3.0/sites-enabled/default 

    Search for the word "pam" and uncomment the line.


  15. Next, edit the file /etc/pam.d/radiusd

    Comment the following lines

    @include common-auth
    @include common-account @include common-password
    @include common-session

    And add the following lines
    auth requisite pam_google_authenticator.so forward_pass
    auth required pam_lsass.so use_first_pass
    By adding these 2 lines, it enables users to authenticate using [domain password]+[Google passcode] on the Horizon login page. Example below.
    If you want users to authenticate using only Google Passcode, comment out this line

    #auth required pam_lsass.so use_first_pass

    Then it will look like this

     
  16. Link the PAM library.

    #ln -sf /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam
  17. Restart the freeradius service

    # service freeradius restart
  18. Next, edit the file /etc/freeradius/3.0/clients.conf

    Search the following example and add the following

    client [FQDN_UAG_server] {
    ipaddr = [FQDN_UAG_server]
    secret = [secret password you want to use]
    }
  19. Restart the free radius service again.
    #service freeradius restart

VMware UAG/Horizon Configuration

  1. RADIUS server is complete. Now we move on and integrate UAG with the RADIUS server.

    Login to UAG admin page and look for RADIUS configuration at the Authentication Settings section and edit it.


  2. Configure the following

    Authenticaion Type = PAP

    Shared secret =    [Refer to the secret that you define in /etc/freeradius/3.0/clients.conf]

    Num of Authentication attempts allowed =[entirely up to you]

    Number of attempts to RADIUS server =[entirely up to you]

    Server Timeout in Seconds =[entirely up to you]

    RADIUS Server Host name = [Radius server hostname or IP address]
    Authentication Port = 1812
  3. Look for Edge Service Settings and edit it.
  4. Configure the Auth Methods as RADIUS.


  5. For internal access without UAG, configure the Horizon Connection Server with RADIUS.

    Servers > Connection Servers > Authentication

    2-factor authentication = RADIUS

    Enforce 2-factor and Windows user name matching = Enable

    Select "Create New Authenticator".

      
  6. Configure the following

    Label = Google Auth [any name you like]

    Hostname = [FQDN of RADIUS server]

    Authentication port = 1812

    Accounting port = 1813
    Authentication type = PAP

    Shared secret = [Refer to the secret that you define in /etc/freeradius/3.0/clients.conf]
    Server timeout = [entirely up to you]
    Max attempts = [entirely up to you]

Authroize Users for 2FA RADIUS with Google Authenticator App
  1. Next, we need to add users to the RADIUS server and authorize them. On your RADIUS server, as root, impersonate as the user you want to add and execute google-authenticator.

    # su [username]

    #google-authenticator
  2. Select "Y" when it ask you "Do you want authentication tokens to be time-based"
    Answer “Y” to all questions
  3. From the RADIUS server side, everything is up and running, next we need to install and configure the Google Authenticator client on the mobile device.
  4. Start “Authenticator” and choose “Scan barcode” and then scan the generated QR Code
    After scanning the barcode, your token is available.
  5. Launch Horizon Client or browser for HTML access to test login with Google Authenticator. In my example below, I allow users to key in the google authenticator passcode only.
    Once successful, the second login screen appears and you have to type in your domain password (this is “As design” by Horizon on any 2-Factor authentication method you want to use: RADIUS or RSA)


    If you can login successfully, you will be able to launch your virtual desktops.

Comments

  1. Arun.P.CApril 6, 2020 at 2:59 PM

    This is really cool. For the longest time, we had problems with customers wanting a free RADIUS service. This post addresses that. Good work!

    ReplyDelete
  2. Darren TeoApril 7, 2020 at 9:46 PM

    Nice work! There's a strong demand for 2FA solutions. This is perfect for most organisations.

    ReplyDelete
  3. Wee Kiong TanApril 8, 2020 at 10:11 AM

    Excellent work!

    ReplyDelete
  4. John BokJune 13, 2021 at 2:59 PM

    Is it possible to change PAP to MSCHAPv2

    ReplyDelete
    Replies
    1. Jason NgJuly 31, 2021 at 3:30 PM

      Sorry I had not try that before. Did it work for you?

      Delete
  5. UnknownJanuary 6, 2022 at 7:54 AM

    yes, however some instances may need the Radius settings in the UAG set to simple Chap as well. I have also seen match username cause issues if the remote machine is not domain joined and the local user is different that the View user. I have seen SSO still work without match username. (One other thing if you are using MSCHAP2 and have set certificates for the proxies and are adding a CA cert as well in the UAG make sure that the radius server also has them installed or they will not be able to auth with MSCHAP2.

    ReplyDelete

Post a Comment