Even Gooder: Integrating An On Premises RADIUS Solution With Cloud Hosted vIDM

With a VMware Identity Manger Cloud deployment you can use the vIDM Connector to integrate with a RADIUS instance located in your trusted network. At that point, with the connector acting as a proxy between your RAIDUS server and vIDM Cloud instance, you can begin to mandate RADIUS authentication for endpoints connecting from anywhere, either for access to specific apps or general access to your Workspace One portal. Further, leveraging vIDM conditional access policies, you can judiciously enforce or bypass 2FA requirements based on the users context or device posture. For this post, I'm going to add 2FA as a requirement for access to Horizon when a user connects from a browser on an untrusted device.

This recipe uses the 2018 September release of VMware Identity Manager Cloud, windows based vIDM Connector 2018.8.1 and a RADIUS server built with Ubuntu 16.04, FreeRADIUS and Google Authenticator. For guidance on getting vIDM Connector setup, check out this previous post. If you already have access to your own RADIUS solution, I'd go ahead and stick with that, otherwise, here's a recipe for standing up a free RADIUS solution using Google Authenticator. Once you have your vIDM Connector stood up and RADIUS server configured to allow this Connector as a RADIUS client, here are the steps you'd follow to integrate your on premises RADIUS solution through your vIDM Connector.

Configuring The RADIUS Authentication Adapter

First, go to Identity & Access Management --> Setup --> Connectors. Click on the Worker link within the Worker column for the vIDM connector you're looking to leverage for the integration.

Next, click on the Auth Adapters option.

From here, click on the hyperlink for RadiusAuthAdapter.

At that point you'll get redirected to your vIDM Connector, so make sure you have network access to the vIDM Connector when performing this step.

Populate the authentication adapter with info relevant to your RADIUS implementation, like the RADIUS server address, timeout, authentication port, authentication type and shared secret. Then click save. At this point, RadiusAuthAdapter will show up as enabled under Auth Adapters.

Next, we want to enable this authentication method on our Built-in adapter. Navigate to Identity and Access Management --> Setup --> and Identity Providers. Click on the hyperlink for your Built-in provider.

Scroll down to the Connector Authentication methods for your Connector and enable the option for RADIUS (cloud deployment).

Then click save to make the new settings stick.

Mandate RADIUS Authentication Through An Access Policy

At this point, we can use access policies to mandate RADIUS authentication for either general Workspace One portal access or for individual applications. For example, to pick on Mac users, I've edited the default policy to require RADIUS authentication for Mac users in order to login into the Workspace One. After navigating to Identity & Access Management --> Manage --> Policies, I clicked on the option to, "Edit Default Policy."

From there, I added a new access rule for Mac users. Here's what it looks like:

Now, when I try to authenticate to vIDM from my Macbook pro, I'm initially prompted to provide my RADIUS passcode, rather than the default of AD credentials.

Another option is to mandate RADIUS authentication for an individual application, rather than for general access to the portal. For example, I can mandate RADIUS authentication for access to a Horizon environment. So, initially, the user can access their portal with AD credentials, but then will be prompted for a RADIUS passcode when they try to launch their desktop. Accordingly, on access policy defined for a specific Horizon desktop pool, I've added the following access rule: