Setup RADIUS as an Authentication Adapter
In this lesson we will setup RADIUS as an additional authentication and configure it to work with our FreeRADIUS.net instance
VMware Workspace ONE using Identity Manager allows for setting up Network Ranges and different authentication policies that can be assigned to different network ranges. For example, you might want your end-users to authenticate with their Active Directory credentials when they are in the office and connected to the corporate network. You might want your users to use 2-factor authentication when working from home. You might have a group of users requiring Multi-Factor Authentication (MFA) because of the applications they can access.
For this lab, we are using FreeRADIUS.net to simulate a RADIUS compatible authentication adapter, in a real-world scenario this could be your RSA server or any other 2-factor authentication solution supporting RADIUS protocol. We have setup a different password (123456) other than the default AD-password (VMware1!) typically used in the HOL, so consider this your RSA token. We will start this simulation in the next steps.
We will walk through the configuration of the RADIUS authentication adapter within Workspace ONE Identity Manager and assign RADIUS authentication to all connections coming from a specific network range.
- Open the Start Menu on the main console
- Select FreeRADIUS START
- Verify FreeRADIUS is started and Ready to process requests.
Attention: Please leave the FreeRADIUS START window open or minimize it, but DO NOT close it.
From the main console, Open Google Chrome
Open Identity Manager Console
- Click WS1 on the Bookmark bar and open VIDM-01 Admin to open Management Console
- If prompted for Select your domain, confirm corp.local and click Next
Login to Identity Manager
- Username: administrator
- Password: VMware1!
- Click Sign in
Setup Authentication Adapters
- Click Identity & Access Management tab
- Click Setup on the tab to the right next to manage
- You should be on the Legacy Connectors tab
- Click on conn-01 under Worker. conn-01 is the Workspace One Access Connector that is already setup to handle synchronization of the directory / Horizon and to configure authentication.
Modify Authentication Adapters
- Click Auth Adapters in the center top
- Click RadiusAuthAdapter at the bottom, and notice it is disabled so we will enable it in the next step
This will redirect you to the Admin Console to edit the Authentication Adapter.
Note: Leave all of the settings that we don't mention below to their defaults
- Check 'Enable RADIUS Adapter'
- Check 'Enable direct authentication' to Radius server during auth chaining'
- Set 'Number of attempts to Radius server' to 5
- Set 'Server timeout in seconds' to 5
- Specify 192.168.110.10 as the RADIUS server ip. This is the IP of the Main Console where we are running FreeRADIUS.
- Scroll down
- Set Accounting port to 1813
- Chose PAP as Authentication type
- Enter HOLrocks! as the shared secret
- Leave configuration for secondary server empty
- Click Save
Confirm no errors at the top.