Setup RADIUS Authentication
PREREQUISITES:
This section will detail how to install and configure a RADIUS server and client for Windows, and how to integrate RADIUS with IDM by enabling the RADIUS Cloud Deployment authentication method.
1. Connect to the VESC Server
You will configure the RADIUS server and client on the VESC Server for this lab.
Double-click the VESC Server.rdp link on the Desktop to connect to the VESC Server.
2. Install and Configure a RADIUS Server for Windows
- Click Server Manager from the task bar.
- Click Manage.
- Click Add Roles and Features.
2.1. Enable Network Policy and Access Services
- Click Server Selection.
- Click Server Roles.
- You may need to scroll down to find Network Policy and Access Services.
- Click the checkbox to enable Network Policy and Access Services.
2.1.1. Add Features for Network Policy and Access Services
Click Add Features.
2.1.2. Install the New Roles and Features
- Click Confirmation.
- Click Install.
Wait for the installation to complete. This may take several minutes to complete.
2.1.3. Close the Installation Window
- Ensure the Feature Installation shows the installation succeeded.
- Click Close.
2.2. Configure Network Policy Server
Within Server Manager,
- Click Tools.
- Click Network Policy Server.
2.2.1. Register Network Policy Server in Active Directory
- Click Action.
- Click Register server in Active Directory.
2.2.2. Authorize to Read User's Dial-In Properties
- Click OK to authorize this computer to read user's dial-in properties.
- Click OK to confirm that the computer is not authorized.
2.3. Add a new RADIUS Client
- Click the caret next to RADIUS Clients and Servers to expand the folder.
- Right-click RADIUS Clients.
- Click New.
2.3.1. Configure the RADIUS Client
- Enter
vescsrv-01a.corp.local
for the Friendly Name. - Enter
vescsrv-01a.corp.local
for the Address (IP or DNS). - Enter
VMware1!
for the Shared Secret. - Enter
VMware1!
for the Confirm Shared Secret. - Click OK.
2.3.2. Add a New Network Policy
- Click the caret next to Policies to expand it.
- Right-click Network Policies.
- Click New.
2.3.3. Configure Policy Name and Connection Type
- Enter
IDM Authentication
for the Policy name. - Select Unspecified for the Type of Network access server.
- Click Next.
2.3.4. Add Conditions
Click Add.
2.3.5. Add a User Groups Condition
- Click User Groups.
- Click Add.
2.3.6. Add Groups
Click Add Groups.
2.3.7. Select the Domain Users Group
- Enter
Domain Users
into the search field. - Click Check Names. Ensure the Domain Users group is found.
- Click OK.
2.3.8. Confirm User Groups
Click OK.
2.3.9. Continue after specifying User Groups Condition
Click Next.
2.3.10. Specify Access Granted Permission
- Select Access Granted.
- Click Next.
2.3.11. Configure Authentication Methods
- Under the Less secure authentication methods, ensure that ALL of the options are checked EXCEPT for Perform machine health check only.
- Click Next.
2.3.12. Close Help Popup
Click No.
2.3.13. Accept the Default Constraints
Click Next to accept the default Constraints.
2.3.14. Accept the Default Settings
Click Next to accept the default Settings.
2.3.15. Complete the New Network Policy
Click Finish.
3. Return to the Main Console
With the RADIUS client configured, you will configure the remainder of the requirements from the Main Console.
Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.
NOTE: If you do not see the Remote Desktop Connection bar, you may have un-pinned the bar. Hover your mouse over the top and center part of the screen to reveal it.
4. Configure the RADIUS Authentication Method for VMware Identity Manager
In the VMware Identity Manager Administration Console,
- Click Identity & Access Management.
- Click Setup.
- Click Connectors.
- Click Lab.
4.1. Select the RADIUSAuthAdapter
- Click the Auth Adapters tab.
- You may need to scroll down.
- Click the RADIUSAuthAdapter link.
4.2. Configure the RADIUSAuthAdapter Details
- Click to enable the Enable RADIUS Adapter option.
- Enter
5
for the Number of attempts to RADIUS server. - Enter
20
for the Server timeout in seconds. - Enter
vescsrv-01a.corp.local
for the RADIUS server hostname/address. - Select MSCHAPv2 for the Authentication type.
- Enter
VMware1!
for the Shared secret.
4.3. Save the RADIUSAuthAdapter
- Scroll down to the bottom.
- Click Save.
4.4. Return to the VMware Identity Manager Admin Console
- Confirm the RADIUSAuthAdapter shows as Enabled.
- Click Admin Console.
5. Configure the Identity Providers
- Click Identity & Access Management.
- Click Identity Providers.
- Click Built-In.
5.1. Associate the RADIUS Authentication Method
- Scroll down to the bottom.
- Click to enable the RADIUS (cloud deployment) authentication method for this Identity Provider.
- Click Save.
6. Configure the Policy Rules
- Click Identity & Access Management.
- Click Policies.
- Click Edit Default Policy.
6.1. Add Policy Rule
- Click Configuration.
- Click Add Policy Rule.
6.2. Configure Policy Rule
- Select ALL RANGES for the Network Range.
- Select Web Browser for the Device type.
- Select Authenticate using... for the action.
- Select RADIUS (cloud deployment) for the authentication type.
- Select Password (cloud deployment) for the fallback authentication type.
6.3. Save the Policy Rule
- Scroll down to the bottom.
- Click Save.
6.4. Move the Policy Rule to the Top
- Move the Policy Rule for the RADIUS (cloud deployment) authentication to the top.
- Click Next.
6.5. Review and Save
Review the configuration as desired and click Save.
7. Test RADIUS Authentication from a Web Browser
- Right-click the Google Chrome icon from the task bar.
- Click New incognito window.
7.1. Navigate to the Identity Manager Tenant
- Enter
https://{yourtenant}.vidmpreview.com
in the navigation bar and press Enter.
NOTE - Be sure to replace{yourtenant}
with your actual tenant that you have accessed in previous steps! - Select corp.local for the Domain.
- Click Next.
7.2. Authenticate using RADIUS
- Notice we are being prompted to authenticate with our RADIUS passcode.
- Enter
aduser
for the username. - Enter
VMware1!
for the RADIUS Passcode. - Click Sign In.
7.3. Navigate to the User Settings
- Click the User dropdown.
- Click Settings.
7.4. Confirm RADIUS Authentication was Successful
- Confirm the User Profile shows as [email protected].
- Click the X to close the incognito browsing session and return to the VMware Identity Manager Administration Console.
This confirms that we were able to successfully install and configure our RADIUS Server on the Windows server, and then enabled and configured our RADIUS authentication method and Policy Rules to allow our users to authenticate using their RADIUS passcode when accessing the tenant from a Web Browser.
0 Comments
Add your comment