Setup RADIUS Authentication

This section will detail how to install and configure a RADIUS server and client for Windows, and how to integrate RADIUS with IDM by enabling the RADIUS Cloud Deployment authentication method.

1. Connect to the Conn-01a Server

You will configure the RADIUS server and client on the conn-01.corp.local server for this exercise.

Double-click the conn-01.rdp link on the Desktop to connect to the Conn-01a Server.

2. Install and Configure a RADIUS Server for Windows

  1. Click Server Manager from the task bar
  2. Click Manage
  3. Click Add Roles and Features

2.1. Enable Network Policy and Access Services

  1. Click Server Selection
  2. Click Server Roles
  3. Click the checkbox to enable Network Policy and Access Services

2.1.1. Add Features for Network Policy and Access Services

Click Add Features.

2.1.2. Install the New Roles and Features

  1. Click Confirmation
  2. Click Install

Wait for the installation to complete.  This may take several minutes to complete.

2.1.3. Close the Installation Window

  1. Ensure the Feature Installation shows the installation succeeded
  2. Click Close

2.2. Configure Network Policy Server

In Server Manager,

  1. Click Tools
  2. Click Network Policy Server

2.2.1. Register Network Policy Server in Active Directory

  1. Click Action
  2. Click Register server in Active Directory

2.2.2. Authorize to Read User's Dial-In Properties

  1. Click OK to authorize this computer to read user's dial-in properties
  2. Click OK to confirm that the computer is now authorized

2.3. Add a new RADIUS Client

  1. Click the caret next to RADIUS Clients and Servers to expand the folder
  2. Right-click RADIUS Clients
  3. Click New

2.3.1. Configure the RADIUS Client

  1. Enter conn-01.corp.local for the Friendly Name
  2. Enter conn-01.corp.local for the Address (IP or DNS)
  3. Enter VMware1! for the Shared Secret
  4. Enter VMware1! for the Confirm Shared Secret
  5. Click OK

2.3.2. Add a New Network Policy

  1. Click the caret next to Policies to expand it
  2. Right-click Network Policies
  3. Click New

2.3.3. Configure Policy Name and Connection Type

  1. Enter Workspace ONE for the Policy name
  2. Select Unspecified for the Type of Network access server
  3. Click Next

2.3.4. Add Conditions

Click Add.

2.3.5. Add a User Groups Condition

  1. Click User Groups
  2. Click Add

2.3.6. Add Groups

Click Add Groups.

2.3.7. Select the Domain Users Group

  1. Enter Domain Users into the search field
  2. Click Check Names, ensure the Domain Users group is found
  3. Click OK

2.3.8. Confirm User Groups

Click OK.

2.3.9. Continue after specifying User Groups Condition

Click Next.

2.3.10. Specify Access Granted Permission

  1. Select Access Granted
  2. Click Next

2.3.11. Configure Authentication Methods

  1. Under the Less secure authentication methods, ensure that ALL of the options are checked EXCEPT for Allow clients to connect without negotiating an authentication method
  2. Click Next

2.3.12. Close Help Popup

Click No.

2.3.13. Accept the Default Constraints

Click Next to accept the default Constraints.

2.3.14. Accept the Default Settings

Click Next to accept the default Settings.

2.3.15. Complete the New Network Policy

Click Finish.

3. Return to the Main Console

With the RADIUS client configured, you will configure the remainder of the requirements from the Main Console.

Click the Close (X) button on the Remote Desktop Connector bar at the top of your screen.

NOTE: If you do not see the Remote Desktop Connection bar, you  may have un-pinned the bar.  Hover your mouse over the top and center part of the screen to reveal it.

4. Configure the RADIUS Authentication Method for Workspace ONE Access

In the Workspace ONE Access Administration Console,

  1. Click Identity & Access Management
  2. Click Setup
  3. Click Legacy Connectors
  4. Click Lab

4.1. Select the RADIUSAuthAdapter

  1. Click the Auth Adapters tab
  2. Click the RADIUSAuthAdapter link

4.2. Configure the RADIUSAuthAdapter Details

  1. Click to enable the Enable RADIUS Adapter option
  2. Enter 5 for the Number of attempts to RADIUS server
  3. Enter 60 for the Server timeout in seconds
  4. Enter conn-01.corp.local for the RADIUS server hostname/address
  5. Select MSCHAPv2 for the Authentication type
  6. Enter VMware1! for the Shared secret

4.3. Save the RADIUSAuthAdapter

  1. Scroll down to the bottom
  2. Click Save

4.4. Return to the Workspace ONE Access Admin Console

  1. Confirm the RADIUSAuthAdapter shows as Enabled
  2. Click the Close (X) button on the current tab to return to the Workspace ONE Access administration console

5. Configure the Identity Providers

  1. Click Identity & Access Management
  2. Click Identity Providers
  3. Click Built-In

5.1. Associate the RADIUS Authentication Method

  1. Scroll down to the bottom
  2. Click to enable the RADIUS (cloud deployment) authentication method for this Identity Provider
    NOTE: The Connector Authentication Methods are queried each time you visit the page, so the list may still be loading.  Please wait a few seconds for the list of available authentication methods to load if so.
  3. Click Save

6. Configure the Policy Rules

  1. Click Identity & Access Management
  2. Click Policies
  3. Click Edit Default Policy

6.1. Add Policy Rule

  1. Click Configuration
  2. Click the ALL RANGES link for the Windows 10 Policy you created previously to edit it

6.2. Configure Policy Rule

  1. Click the Plus (+) button next to then the user may authenticate using dropdown. This will add another authentication requirement to our primary authentication method, requiring the user to pass two authentication methods.
  2. Select RADIUS (cloud deployment) for the and... dropdown.
  3. Click Save.

6.3. Continue with the Policy Rule Changes

The Windows 10 device type policy is already at the top, so click Next to continue with updating the Access Policies.

6.4. Review and Save

Review the configuration as desired and click Save.

7. Test RADIUS Authentication from the Windows 10 Virtual Machine

Return to the Win10-01a Virtual Machine by double-clicking the Win10-01a.rdp link from the Main Console desktop.

7.1. Re-Connect to your Workspace ONE Access Tenant (IF NEEDED)

If your Workspace ONE app is still connected to your Workspace ONE Access tenant from earlier, you can skip this step.

  1. Click the Workspace ONE App from the task bar
  2. Enter https://{yourtenant} for the URL
    NOTE: Replace {yourtenant} with your actual tenant name that you accessed in previous steps!
  3. Click Continue

7.2. Select the Corp.Local Domain

  1. Select the corp.local domain
  2. Click Next

7.3. Enter the RADIUS Passcode

  1. Notice you are being prompted for the RADIUS passcode as part of your authentication now
  2. Notice that you are automatically recognized as holuser from the Kerberos authentication, which is the first step in this multi-factor authentication step
  3. Enter VMware1! for the RADIUS shared secret that you configured
  4. Click Sign In

7.4. Confirm RADIUS Authentication was Successful

  1. Click Settings
  2. Confirm that you were still authenticated as [email protected], which is the active directory account that is logged into the Windows 10 virtual machine you connected to.

This confirms that the Kerberos authentication was still able to successfully authenticate you as [email protected], but this time you were also required to enter a RADIUS passcode that you configured as a second factor of required authentication.


Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.