A blog for random cybersecurity. networking. infrastructure. notes.
Twitter Linkedin
,

DUO 2FA at the Unified Access Gateway

Description

DUO (https://www.duo.com) offers a great guide to install and configure Horizon View using DUO’s RADIUS Proxy.  In their sample configuration, all users are required to 2FA whether they are logging in from the internet or a local/trusted network because the 2FA is being leveraged at the Connection server.  In some cases an organization may wish for only users accessing their virtual desktops from the internet to leverage 2FA, allowing internal users to bypass 2FA at the Connection Server and only be prompted for 2FA at the desktop.  DUO 2FA at the VMware Unified Access Gateway solves this desired result!

The Objective

Leverage DUO 2FA only on perimeter/internet access and not ALL Horizon View users

Configuration Procedure

Install and Configure the DUO RADIUS Proxy

The process to install and configure the RADIUS Proxy can be found at https://duo.com/docs/vmwareview.

The portion of the authproxy.cfg that we’re really focused on here in this post is the are marked in the red rectangle below:

raduis server challenge

 

 

 

 

 

Prepare the VMware Unified Gateway for RADIUS

Below is where we will configure the Unified Gateway to leverage the DUO RADIUS Proxy.

  • Browse to the UAG at https:\\the.ip.address_or_hostname_of_the.UAG:9443/admin/index.html#!/Login
  • Select Authentication Setting in the General Settings Pane

authentication option

 

 

 

 

  • Select the gear for settings

radius settings

 

 

radius setting options

 

 

 

 

  • Enable RADIUS switch to YES
  • Authentication Type: PAP
  • Add the Shared Secret you configured in the authproxy.cfg
  • Enter the RADIUS Server Host Name
  • Save the Settings and exit

Perform a test of the the 2FA push.  You should receive a DUO prompt during the login process which looks very similar found on DUO’s site when configuring the proxy (https://duo.com/docs/vmwareview)

Conclusion

My findings have been that the UAG only has the ability to configure one RADIUS server, no fail-over or secondary server.  In the example above, if the RADIUS Proxy becomes offline or unavailable for any reason, the login process will be halted until access has been recovered or the the “Enable RADIUS” switch is set back to to NO (disabled).  There you have it, DUO 2FA only at the VMware Unified Access Gateway!

If you have any further ideas or thoughts, please feel free to contribute in the comments below!

Additionally, if you found this helpful, please buy a stranger a cup of coffee the next time you’re at a coffee shop.

 

 

 

 

 

 

Related Articles

Table of Contents

Categories