![]() The client determines what type of primary authentication is performed. The first thing we need to configure is the Duo client. I’ll highlight a few of these options below. Duo has a number of options for configuration, and it’s important to review the documentation. Once the authentication proxy is installed, it needs to be configured. The steps for installing the Duo authentication proxy are beyond the scope of this article. This proxy acts as a RADIUS server, and it can run on Windows or Linux. Duo requires an on-premises authentication proxy. The Duo environment needs to be configured before Horizon MFA can be set up. If this second factor of authentication is successful, I will be automatically signed into Horizon. If my two-factor authentication system supports Active Directory authentication, I can use my Windows Username and Password to be authenticated against it and then receive a challenge for a one-time password (or device push). ![]() When this setting is enabled, the domain sign-on prompt is skipped. Use the same username and password for RADIUS and Windows authentication (WindowsSSOEnabled in UAG) – Used when the RADIUS server and Windows have the same password.Enforce 2-factor and Windows user name matching (matchWindowsUserName in UAG) – enabled when the MFA and Windows user names match.Horizon has a couple of multi-factor authentication options that we need to know about when doing the initial configuration. The other difference is 2FA is validated in the DMZ by the appliance, so 2FA does not need to be configured on the Connection Servers. First, the Unified Access Gateway is not tied to a specific Connection Server, and it can be pointed at a load-balanced pool of connection servers. If 2FA is used, the user is prompted for the one-time password first, and if that is successful, the user is prompted for their Active Directory credentials. The Unified Access Gateway setup is, in some ways, similar to the old Security Server/Connection Server setup. Note: When using Duo in this setup, I can configure Duo to use the same initial credentials as the user’s AD account and then present the user with options for how they want to validate their identity – a phone call, push to a mobile device, or passcode. The reliance on connection servers meant that two sets of connection servers needed to be maintained – one internal facing without multi-factor authentication configured and one external facing with multi-factor configured. The user would first be prompted for their username and their one-time password, and if that validated successfully, they would be prompted to log in with their Active Directory credentials. When users signed in remotely, the security server would proxy all authentication traffic back to the connection server that it was paired with. When the Security Server was the only option, two-factor authentication was enabled on the Connection Servers. There are some key differences between how these two technologies work. Understanding Unified Access Gateway Authentication Pathīefore I configure the Unified Access Gateway for two-factor authentication with Duo, let’s walk through how the appliance handles authentication for Horizon environments and how it compares to the Security Server. It will validate these against Active Directory before prompting the user for their second authentication factor. When using Active Directory as the authentication source, Duo will utilize the same username and password as the user’s AD account. In addition to providing their own authentication source, they can also integrate into existing Active Directory environments or RADIUS servers. Duo utilizes an on-premises Authentication Proxy to integrate with customer systems. Duo also supports VMware Horizon, although they do not currently have any documentation on integrating with the Access Point/Unified Access Gateway.ĭuo Security for Multi-factor Authenticationĭuo Security is a cloud-based MFA provider. I’ve been using Duo Security for a while because they support RADIUS, have a mobile app, and have a free tier. The Unified Access Gateway supports the following two-factor authentication technologies:īecause I’m doing this in a lab environment, I decided to use a RADIUS-based technology for this post. ![]() The Unified Access Gateway supports multiple options for two-factor authentication, and many real-world deployments will use some form of two-factor when granting users access to their desktops and applications remotely. That post walked through the basic deployment steps. In my last post, I went through the steps for deploying a Horizon Access Point/Unified Access Gateway using the PowerShell deployment script. This should make the post easier to follow. Note: After publishing, I decided to rework this blog post a bit to separate the AD-integrated Duo configuration from the Duo-only configuration.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |