VMware UAG: Two-Factor Authentication configuration

vmware-uag-two-factor-authentication-01

To add an extra layer of security to VMware UAG appliance, the authentication process can be enforced using a Two-Factor Authentication procedure with solutions such as Duo Authentication Proxy.

If the UAG appliance is installed in your VMware Horizon infrastructure, the Two-Factor Authentication makes the connection more secure avoiding unauthorized accesses. Duo is Cisco's user-friendly, scalable access security platform that can be configured in the UAG appliance providing a second source of validation.

vmware-uag-two-factor-authentication-02

 

System requirements

DUO Authentication Proxy can be installed on the following supported OSs:

  • Windows Server 2012 or later (Server 2016 or 2019 recommended)
  • CentOS 7 or later
  • Red Hat Enterprise Linux 7 or later
  • Ubuntu 16.04 or later
  • Debian 7 or later

The minimum system requirements are the following:

  • Form Factor: physical or virtual machine
  • Processor: 1 processor
  • Memory: 4 GB RAM
  • Disk: 200 MB or greater

The Authentication Proxy communicates with Duo's service on TCP port 443. Make sure to open firewall ports accordingly.

The Duo Mobile app must be installed on your mobile device (Android or Apple) to manage push notifications.

 

Install DUO for Two-Factor Authentication

DUO can be installed on both Windows or Linux OSs and the procedure is pretty straightforward. To save Windows licenses, the Duo MFA can be easily installed on a supported Linux distributions.

 

Deploy CentOS OS

Download the minimal installation of CentOS 7 and deploy the VM on your LAN.

vmware-uag-two-factor-authentication-03

 

Install DUO Authentication Proxy

SSH the CentOS 7 VM and run the following command from the console to install the needed packages:

# yum install gcc make libffi-devel perl zlib-devel wget

vmware-uag-two-factor-authentication-04

Download the Authentication Proxy module using the wget command.

# wget https://dl.duosecurity.com/duoauthproxy-latest-src.tgz

vmware-uag-two-factor-authentication-05

Extract the files from the downloaded file .TGZ and run the build process.

# tar xzf duoauthproxy-latest-src.tgz
# cd duoauthproxy-version-src
# make

vmware-uag-two-factor-authentication-06

When the build process has completed successfully, run the install command to install the application.

# cd duoauthproxy-build
# ./install

vmware-uag-two-factor-authentication-07

Note that the Duo Authentication Proxy's configuration file is stored in the directory /opt/duoauthproxy/conf/authproxy.cfg.

 

Retrieve Duo parameters

After registering the account in Duo, select the software to protect (VMware View) from the available applications list.

vmware-uag-two-factor-authentication-08

Access the application area and write down the parameters reported in the Details area needed to configure Duo:

  • Integration key
  • Secret key
  • API hostname

vmware-uag-two-factor-authentication-09

 

Configure the push authentication

Duo provides different authentication methods you can configure. The push notification for example allows the application to send a push notification directly to the user's mobile device.

To configure the push notification, you need to edit the Duo's configuration file and configure it as follow:

# vi /opt/duoauthproxy/conf/authproxy.cfg

[ad_client]
host=xx.xx.xx.xx          (IP Domain Controller 1)
host_2=xx.xx.xx.xx     (IP Domain Controller 2)
service_account_username=duoservice
service_account_password=password
search_dn=DC=domain,DC=com

[radius_server_auto]
ikey=xxxxxxxxxxxxxxxxxxxx
skey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
api_host=api-xxxxxxxx.duosecurity.com
radius_ip_1=192.168.95.101      (UAG1 IP address)
radius_ip_2=192.168.95.102     (UAG2 IP address)
radius_secret_1=xxxxxxxxxxxxxxxxxxxx     (configure secret also in UAG)
failmode=secure
client=ad_client
port=1812

vmware-uag-two-factor-authentication-10

Save the file and restart the service.

# /opt/duoauthproxy/bin/authproxyctl restart

vmware-uag-two-factor-authentication-11

 

Configure UAG

Once the DUO Authentication Proxy has been configured successfully, the UAG must be configured accordingly.

Using your preferred browser, type the addess https://<IP_UAG>:9443, enter the admin credentials and click Login.

vmware-uag-two-factor-authentication-12

Click Select under Configure Manually.

vmware-uag-two-factor-authentication-13

 

Configure RADIUS

To take benfit of Duo Two-Factor Authentication, you need to access the Authentication section in UAG and configure RADIUS as protocol.

To set the RADIUS protocol enable the Authentication Settings switch.

vmware-uag-two-factor-authentication-14

Click on the RADIUS Settings icon to configure the protocol.

vmware-uag-two-factor-authentication-15

Click on Enable RADIUS switch.

vmware-uag-two-factor-authentication-16

Configure the required parameters and click Save. The Shared Secret must be the same as configured in Duo Authentication Proxy.

vmware-uag-two-factor-authentication-17

 

Enable RADIUS authentication in UAG

Once the protocol has been enabled, RADIUS must be configured in the Horizon's settings. Click Edge Service Settings.

vmware-uag-two-factor-authentication-18

Click the Horizon Settings icon.

vmware-uag-two-factor-authentication-19

From the Auth Methods drop-down menu select RADIUS and click Save. You need to click the More link to display additional settings.

vmware-uag-two-factor-authentication-20

You need also to enable the these settings to avoid entering the credentials twice.

vmware-uag-two-factor-authentication-21

 

Test authentication

Open your preferred browser (for https access) and type the URL to access your Horizon infrastructure. Enter the credentials of an entitled user and click Login. Credentials are verified and authenticated against Active Directory.

vmware-uag-two-factor-authentication-22

Once the account has been validated in AD, a push request is then sent to the user's mobile. Click Approve to login.

vmware-uag-two-factor-authentication-23

When the authorization has been given via Duo, the access to Horizon is granted.

vmware-uag-two-factor-authentication-24

UAG is now configured with Two-Factor Authentication making the access to your infrastructure more secure.

signature

Leave a Reply