Thursday, May 10, 2018

Using Microsoft Network Policy Server For Basic RADIUS Testing With VMware Horizon 7.3.1

In order to troubleshoot RADIUS integrations with Horizon, you can setup Microsoft Network Policy Server as a RADIUS server. This isn't something I'd necessarily charge into production with, but it can be a useful way for VDI admins to double check the functionality of Horizon. Particularly when you don't have access to a RADIUS solution or need a sanity check.

One disclaimer: I have yet to see this NPS server handle password changes properly on users with expired passwords.  If anyone has made it happen I would love to hear about it. 

Setting Up Network Policy Server As A RADIUS Solution For Horizon

To begin, go to server manager and add Network Policy and Access Services as a role. Then select Network Policy Server as the role service to install.

When the install is complete, open up the Network Policy Server management console. Navigate to the Network Policies folder, right click and select, "New."

Give your new policy a descriptive name and stick with, "unspecified," as the network access server type.

Next you need to specify a condition for applying the policy. Below, I've gone with the option to base the condition on the IP address of the RADIUS client.

Go with the option to grant access if the condition matches.

On the Configure Authentication Methods screen, select MS-CHAP-v2, MS-CHAP, CHAP or PAP as a supported authentication method.

Next your way through the Configure Constraints and the Configure settings screens, accepting the defaults. As a final configuration step on this new RADIUS server, we have to create a RADIUS Client entry for our Horizon Connection server. With the Network Policy Server snap in still open, right click on RADIUS Clients and select, "New."

And here's what that basic client configuration looks like:

At this point, you can configure the Horizon connection server to act as a client for this RADIUS server. Here's an example configuration from my Horizon environment:

Now enable these new client settings as an authenticator from the Horizon server.

And here's what it looks like to authenticating into my Horizon environment after making this integration:

After doing the initial authentication against the NPS Radius using my AD credentials I'm presented with the normal dialog from the Horizon server:

While this isn't terribly sexy and exciting on it's own, it's a useful setup for testing and worth having in your back pocket. 

1 comment:

  1. "While this isn't terribly sexy and exciting on it's own, it's a useful setup for testing and worth having in your back pocket" - Why not, pretty smart solution, IMO