VMware Access Point Radius two-factor authentication with SafeNet
Security is king, always has been and always will be. For a customer we are deploying a new environment with VMware Horizon 7 as the employees destination. To give them remote access we are deploying VMware Access points in the perimeter network. VMware Access point is a new solution (not so new anymore) that replaced the security server. The VMware Access point is a Suse Linux server deployment that can be deployed by a PowerShell script within minutes. Together with a SafeNet Authentication Service (the cloud one) and a Radius authentication employees are granted secure access to the network.
So let’s take a quick look at the environment to give you an idea of what we are talking about. We got a 2 datacenter VMware Horizon 7 VDI environment. We deployed Windows 10 1607 LTSB as a desktop solution and 99% of the environment is running Windows 2012R2.
We run some server in a perimeter network that is offering services to employees outside wanting to get in. The whole backend is secured by VMware NSX, Palo alto’s and more cool stuff. We use VMware Access Points to grant remote access together with the SafeNet Authentication Service (SAS). On the mobile devices managed by VMware AirWatch we deploy the SafeNet authentication app called mobile Pass.
I couldn’t find a architecture overview on the Internet other than a Security server design. So I created one myself with Microsoft Visio. The drawing below shows the diagram on how this are operating.
The internal agent with a cool name, “SafeNet Authentication Service Synchronization Agent for SAS Cloud Version”, synchronizes with the Active directory to sync the usernames and group membership to the cloud. That communication takes place over port 8456.
When the employee connects to the VMware Access Point with e.g. the Horizon client they are prompted with a Username + Passcode screen. The Access point will check the passcode you enter there with the SafeNet Cloud service. This communication takes place over port 1812 to authenticate you.
Once that authentication is complete and the username and passcode are correct the employee is forwarded to the VMware Connection server. Here they are presented the username and password screen to authenticate to the domain. After this the user is presented the resources and they can start a desktop.
One might argue that this is not what they want.. first a passcode before you authenticate with a password. I think it is exactly what you want, first you show you are the one allowed to enter the network before you get chances to authenticate against the domain.
Let me show you the deployment which is remarkably simple and straight forward. There are a few simple steps to follow;
- Setup the SafeNet cloud (not gonna discuss this here)
- Install the agent to synchronize with the Active Directory
- Deploy the VMware Access Point with Radius support
- Deploy the Mobile Pass to mobile devices
- Add users to groups and test
The agent is installed on a LAN server that has access to the Active Directory to sync users and group membership. We created three groups, a servicedesk group, a MobilePass group and a StaticPass group.
Set the authentication nodes, the primary and the failover ones, you need the IP addresses as well for the ini file that you use to deploy VMware Access Point.
So the agent will sync users and group membership to the cloud, you set the groups that you want to sync at the agent console. We have two groups, one for a static token and one for a mobile token where the user will need their app to get the token.
There are more settings but most of them got to do with notification settings and the synchronization with the Active Directory.
Next one is deploying the VMware Access point. The VMware Access Point comes in many version… not kidding many versions indeed. We picked 2.7.2 for a reason that 2.5.1 is too old and 2.8 is to new. 2.7.2 is supported with Horizon 7 so it was the best to use.
The VMware Access Point is deployed with a PowerShell script, there a several scripts available and one of them is for Radius. To get started here you need a few things;
- Remote URL
- Remote IP
- String to access you vCenter server + details
- Storage details
- VLAN configuration
- IP configuration
- Certificates for the external address
- Thumbprints of your internal connection server certificates
- SafeNet IP adresses
Sound like a lot? It’s not that big a list and most are obvious ones. The VMware side of things are pretty easy so I leave them out for now. below you see the SafeNet Radius part of the ini file.
\\\\\\part of the radius script\\\\\\\
# hostName is the name or IP address of the primary RADIUS server
# authtype must match the configuration of the RADIUS server. It is one of
# PAP, CHAP, MSCHAPv1, or MSCHAPv2
# authPort is the authentication destination UDP port configured on the RADIUS server. It is
# usually 1812
# radiusDisplayHint is a short string that will be included in the client prompt.
# In this example, the user prompt will be “Enter your XXX Token username and passcode”
# accountingPort is the optional destination UDP port for accounting information configured on
# the RADIUS server. If specified, it is usually 1813
# hostName_2 is the name or IP address of the secondary RADIUS server if one is present
So with this in place you start PowerShell as an administrator and run the script. As you see below the script is pretty simple, VMware created a nice script for this. There is one thing to keep in mind is that the OVF tools normally are installed on the C:\ disk. If you installed them somewhere else edit the script as the path is there fixed 🙁
When you deploy you will be presented with root/admin password question and the shared key that you have set. Fill these in and deploy. So wait for a few minutes and you have a VMware Access Point ready to rock.
The next step is to add a user to a group and do some tests. I added myself to the StaticPass group and fired up the Horizon client. There you go the VMware Access Point offers a username and a passcode.
Once the passcode is accepted and the employee is authenticated the next screen is presented and the employee is forwarded to the VMware Connection server web page to authenticate with a username and password.
After logging on a screen with the available resources is presented. It works.
So next up is getting enrolled to get a mobile app that is giving a passcode when you log on. We deployed the application with VMware AirWatch and the user is enrolled/activated by an e-mail once they are entered in the MobilePass group. I received the Email with a link to activate, if you don’t have the app you will be given a link to download. We deployed the app with VMware AirWatch so no bother.
- Next is to click the link in the Email and I’m redirected to the app.
- Next step is to active my Mobile Pass to get a token to authenticate.
- Once this is done you’ve finished and you can safely work remotely.
The testing is the same… the result also.
Hope this article helps you when you deploy a VMware Access Point and SafeNet Radius.