This recipe uses the 2018 September release of VMware Identity Manager Cloud, windows based vIDM Connector 2018.8.1 and a RADIUS server built with Ubuntu 16.04, FreeRADIUS and Google Authenticator. For guidance on getting vIDM Connector setup, check out this previous post. If you already have access to your own RADIUS solution, I'd go ahead and stick with that, otherwise, here's a recipe for standing up a free RADIUS solution using Google Authenticator. Once you have your vIDM Connector stood up and RADIUS server configured to allow this Connector as a RADIUS client, here are the steps you'd follow to integrate your on premises RADIUS solution through your vIDM Connector.
Configuring The RADIUS Authentication Adapter
First, go to Identity & Access Management --> Setup --> Connectors. Click on the Worker link within the Worker column for the vIDM connector you're looking to leverage for the integration.
Next, click on the Auth Adapters option.
From here, click on the hyperlink for RadiusAuthAdapter.
At that point you'll get redirected to your vIDM Connector, so make sure you have network access to the vIDM Connector when performing this step.
Populate the authentication adapter with info relevant to your RADIUS implementation, like the RADIUS server address, timeout, authentication port, authentication type and shared secret. Then click save. At this point, RadiusAuthAdapter will show up as enabled under Auth Adapters.
Next, we want to enable this authentication method on our Built-in adapter. Navigate to Identity and Access Management --> Setup --> and Identity Providers. Click on the hyperlink for your Built-in provider.
Scroll down to the Connector Authentication methods for your Connector and enable the option for RADIUS (cloud deployment).
Then click save to make the new settings stick.
Mandate RADIUS Authentication Through An Access Policy
From there, I added a new access rule for Mac users. Here's what it looks like:
Now, when I try to authenticate to vIDM from my Macbook pro, I'm initially prompted to provide my RADIUS passcode, rather than the default of AD credentials.
Another option is to mandate RADIUS authentication for an individual application, rather than for general access to the portal. For example, I can mandate RADIUS authentication for access to a Horizon environment. So, initially, the user can access their portal with AD credentials, but then will be prompted for a RADIUS passcode when they try to launch their desktop. Accordingly, on access policy defined for a specific Horizon desktop pool, I've added the following access rule:
Now, my users logs into Workspace One using AD credentials and sees the virtual desktop their entitled to.
However, when they double click on the entitlement, they're redirected to a prompt for their RADIUS passcode.
After a valid RADIUS passcode is provided access is granted to the virtual desktop.