VMware Horizon View

WWPass Authentication Implementation Guide for VMware Horizon View - RADIUS based

CHAPTER 1 – OVERVIEW

WWPass External Authentication Service (WWPass EAS) is a RADIUS-based authentication solution which allows you to replace username and password authentication with WWPass multi-factor authentication technology in any software environment that supports RADIUS protocol for user authentication.

WWPass EAS is based on FreeRADIUS – the most widely deployed RADIUS server in the world – and extends its functionality by adding support for WWPass Authentication Technology. WWPass EAS comes in a form of a virtual appliance running Ubuntu Linux that can be deployed into your organization virtual infrastructure. Once deployed and configured it becomes the authentication backend for the software used in your organization.

This document describes steps to deploy and configure WWPass EAS. It covers deployment of WWPass EAS in a VMWare ESXi based virtual environment, installing WWPass Service Provider certificate files, configuring WWPass EAS with Microsoft Active Directory servers and user registration.

Despite VMWare ESXi has been chosen as a virtual infrastructure provider, it is not a mandatory requirement. The virtual appliance is shipped as an Open Virtualization Format (OVF) file and can be deployed on Oracle VirtualBox and Microsoft Hyper-V virtualization platforms as well.

Microsoft Active Directory is also an optional requirement and it is possible to configure WWPass EAS without access to Active Directory servers.

Should you have any questions about WWPass EAS, please contact WWPass support at support@wwpass.com

Related Documentation

Here is a list of all documentation which was used:

• http://wiki.freeradius.org/guide/NTLM-Auth-with-PAP-HOWTO
• https://communities.vmware.com/docs/DOC-19448
• https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto
• http://freeradius.org/radiusd/man/unlang.html

CHAPTER 2 – REQUIREMENTS

Below is the list of requirements for the WWPass EAS Virtual Appliance for VMware Horizon View (RADIUS based).

Virtual Machine deployment Requirements

• CPU - 1 or more
• Memory - 512 Mb or more
• Disc size - 2 Gb or more
• Network interfaces - 1 or more
• VMware vSphere ESXi - 4.0 or later
• VMware Horizon View Connection Server - 5.1 or later
• WWPass Service Provider certificates - contact WWPass by phone or email at support@wwpass.com

User computers Requirements

• Operating System - Microsoft Windows 7 or later (32-bit and 64-bit)
• Web Browser
  • Internet Explorer - 9 or later (32-bit and 64-bit)
  • Firefox - 20 or later
• VMware Horizon Client - 5.1 or later
• WWPass Security Pack - 3.3 or later
• WWPass Key - activated

CHAPTER 3 – IMPORT / DEPLOY AN OVF TEMPLATE TO A VIRTUAL MACHINE

To import / deploy an OVF Template to a Virtual Machine VMware vSphere Client is used:

1. Open File tab on the top menu and select Deploy OVF Template.

   

2. Click

   

3. Find the wwpass-eas.ovf file on your computer. Select the file and click Click

   

4. Read the details and click

   

5. Enter the new VM name. For example, wwpass-eas . Click

   

6. Select the host or cluster on which the deployed template will be running. Click If you are connected to hypervisor as opposed to vCenter Server this screen will be absent.

   

7. Keep the default format for the new VM to use. Click

   

8. Select the networks the VM to use. Click

   

9. Read the summary and click

   

10. Please, wait. When the VM is successfully deployed, click

    

    

11. Select the deployed VM in the left menu.

    

12. Right-click on the VM and select Open Console in the menu.

    

13. Click Power On

    

14. Please, wait while booting.

    

15. Enter username admin and password Qwerty1234%

    

    For security reasons it is recommended to change the default password of "admin" user during initial setup. In order to do this perform the following steps:

• log in to the virtual machine using the default password;
• run "passwd" command;
• enter the default password;
• enter a new password;
• re-enter the new password to make sure that there is no typos.

16. VM is successfully deployed.

    

CHAPTER 4 – SERVER CONFIGURATION

To configure a server, use any text editor, for example vi. Please refer to comments in the configuration files for guidance.

note

To quit vi and save the contents of the buffer to the file that vi is being used to edit press Esc to leave Insert mode and enter command: ZZ or :wq

Network configuration

1. Enter command: sudo vi /etc/hostname

   

2. Enter the administrator password: Qwerty1234% or whatever it is changed to.

   

3. Enter the hostname, for example, wwpass-eas. Save and quit vi.

   

4. Enter command: sudo vi /etc/hosts

   

5. Enter the hostname, for example, wwpass-eas. Save and quit vi.

   

6. Enter command: sudo vi /etc/network/interfaces

   

7. Configure network interfaces, specifying the network addresses for your virtual server. Save and quit vi.

   

AD interface configuratuion

1. Enter command: sudo vi /etc/samba/lmhosts

   

2. Specify your domain name in capital letters. Save and quit vi.

   

3. Enter command: sudo net rpc join -U administrator

   

4. Enter domain administrator’s password. Make sure you successfully joined the desired domain.

   

FreeRADIUS server configuration

1. Enter command: sudo vi /etc/freeradius/clients.conf

   

2. Change RADIUS secret for localhost access and remember it.

   

   Scroll the configuration file to the bottom. Add as many RADIUS authenticators as you need. Save and quit vi.

   

3. Enter command: sudo shutdown -r now Wait for the reboot.

   

4. Enter username admin and the administrator password Qwerty1234% or whatever it is changed to.

   

5. Put your WWPass Service Provider certificate and key files on the radius server virtual machine. Copy private key file your_company.com.key to /etc/ssl/private directory and certificate file your_company.com.crt to /etc/ssl/certs.

6. Enter command: sudo vi /etc/wwpass/rhelper.conf

   

7. Set correct paths and filenames of the key and certificate files.

   

8. To turn off access code verification during WWPass authentications through RADIUS or on Web Control Panel, uncomment the corresponding lines and set:\

• use_access_code=False

• use_access_code_cp=False (Turned on by default)

  

9. Scroll the configuration file to the bottom. Specify radius_secret parameter according to your RADIUS server settings set in step 2 of server configuration. Save and quit vi.

   

10. Enter command: sudo restart wwpass-radius-helper

    note

    Every time the rhelper.conf is changed you should restart the service with this command.

    

11. Enter command: sudo shutdown -r now Wait unitl the server is rebooted.

    

12. Check winbind demo functionality with the command: sudo wbinfo -p Message will appear that ping to winbindd succeeded.

    

13. Check winbind demo trust functionality with the command: sudo wbinfo -t Message will appear that checking the trust secret for domain via RPC calls succeeded.

    

Update of wwpass-radius-helper package

1. Enter command: sudo apt-get update

   

2. Please, wait for results.

   

3. Enter command: sudo apt-cache policy wwpass-radius-helper

   

4. Current version and possible candidate for update will be shown.

   

5. To update the package, enter command: sudo apt-get install wwradius-helper

   

6. Please, wait for results. Package is successfully updated.

   

CHAPTER 5 – RADIUS SERVER: ADDING ADMINISTRATOR AND USER ACCOUNTS

To complete RADIUS server initial setup assign RADIUS administrators and users rights to Active Directory members and bind a WWPass Key to each of them.

note

All users should be already registered in Active Directory and Radius and have activated WWPass Keys.

note

WWPass Security Pack should be installed on administrators and users’ computers (see requirements section above).

To register the first administrator

1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

   

2. Present a WWPass Key to bind with the first server administrator account.

   

3. Click to confirm authentication.

   

4. Enter WWPass access code and click

   

5. Enter the RADIUS username and password of the first administrator. Click

   

6. The first administrator account was registered and bound with a WWPass Key. Click and register users.

   

To register users

1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

   

2. Present the administrator’s WWPass Key to authenticate.

   

3. Click to confirm authentication.

   

4. Enter WWPass access code and click

   

5. Enter new user’s username to register. Click

   

6. Copy the link and send it to the user. The link is valid for 30 minutes or until server is restarted. Click

   

7. You can add more users and see the list of all registered users and pending binds which should be completed on end-users side.

   

To complete registration on end-users side

1. Open the received URL in Internet Explorer.

   

2. Present a WWPass Key to bind with the user’s account.

   

3. Click to confirm authentication.

   

4. Enter WWPass access code and click

   

5. Enter the user’s Active Directory password and click

   

6. User’s account is successfully registered and bound to the WWPass Key.

   

To assign or remove administrator rights of a registered user

1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

   

2. Present the administrator’s WWPass Key to authenticate.

   

3. Click to confirm authentication.

   

4. Enter WWPass access code and click

   

5. Сlick to assign administrator rights to the already registered user.

   

6. Сlick to remove administrator rights from the already registered user.

   

To delete user

1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

   

2. Present the administrator’s WWPass Key to authenticate.

   

3. Click to confirm authentication.

   

4. Enter WWPass access code and click

   

5. Select the user you want to delete and click

   

CHAPTER 6 – VMWARE CONFIGURATION: SETTING UP RADIUS AUTHENTICATION

To customize RADIUS authentication, open VMware View Administrator in your web browser (Internet Explorer is recommended).

1. Expand View Configuration section in the left menu.

   

2. Select Servers in the left menu and open Connection Servers tab in the right pane.

   

3. Select the server to customize and click

   

4. Open Authentication tab.

   

5. Under Advance Authentication, select RADIUS from the 2-factor authentication option.

   

6. For the Authenticator option, select Create New Authenticator.

   

7. Specify the following parameters:

   • Label that will be shown to clients;
   • Hostname/Address of the WWPass EAS server;
   • PAP as authentication type;
   • Shared RADIUS secret for localhost access set during RADIUS server configuration. Click

   

8. Click

   

9. Click

   

CHAPTER 7 – RCLIENT USER MANUAL

caution

We are no longer supporting WWPass RClient (RADIUS Client).

If you are interested in WWPass authentication for software that does not support WWPass out of the box, such as VMware Horizon View Client, Fortinet FortiGate and OpenVPN, please contact us.

WWPass RClient (RADIUS Client) is a desktop application which provides WWPass authentication for software that does not support WWPass out of the box. RClient authenticates the user and starts one of the supported third-party applications, effectively replacing its username and password based authentication. RClient supports VMware Horizon View Client, Fortinet FortiGate and OpenVPN, and contains built-in configuration profiles for these applications.

Add connection

To add a connection to RClient:

1. Click

   

2. Enter connection name.

   

3. Select the VMware Horizon View Client as an application to connect to.

   

4. Enter WWPass EAS Hostname and VMware Connection Server Hostname with proper ports.

   

5. Click

   

6. The created connection will be shown in the list of connections.

   

Edit connection settings

To edit connection settings:

1. Select the connection in the list by clicking on it.

   

2. Click

   

3. Change all parameters required.

   

4. Click

   

Establish connection

To establish connection:

1. Select the connection from the list by clicking on it.

   

2. Click to

   

3. To approve authentication click

   

4. Enter WWPass access code and click

   

5. VPN connection is successfully established.

   

Unbind account

To unbind your WWPass account from RADIUS account:

1. Select the connection from the list by clicking on it.

   

2. Click to

   

3. To confirm binding removal click

   

4. To approve authentication click

   

5. Enter WWPass access code and click

   

6. Your WWPass account is successfully unbound from RADIUS account.

   

Remove connection

To remove connection from the list:

1. Select the connection from the list by clicking on it.

   

2. Click

   

3. To confirm connection removal click

   

4. The connection is successfully removed from the list.

   

Exit from RClient

To exit from the RClient you can use either of the following ways:

• Click

• Click the X button at the top of RClient