VMware Horizon View

WWPass Authentication Implementation Guide for VMware Horizon View - RADIUS based#

CHAPTER 1 – OVERVIEW#

WWPass External Authentication Service (WWPass EAS) is a RADIUS-based authentication solution which allows you to replace username and password authentication with WWPass multi-factor authentication technology in any software environment that supports RADIUS protocol for user authentication.

WWPass EAS is based on FreeRADIUS -- the most widely deployed RADIUS server in the world -- and extends its functionality by adding support for WWPass Authentication Technology. WWPass EAS comes in a form of a virtual appliance running Ubuntu Linux that can be deployed into your organization virtual infrastructure. Once deployed and configured it becomes the authentication backend for the software used in your organization.

This document describes steps to deploy and configure WWPass EAS. It covers deployment of WWPass EAS in a VMWare ESXi based virtual environment, installing WWPass Service Provider certificate files, configuring WWPass EAS with Microsoft Active Directory servers and user registration.

Despite VMWare ESXi has been chosen as a virtual infrastructure provider, it is not a mandatory requirement. The virtual appliance is shipped as an Open Virtualization Format (OVF) file and can be deployed on Oracle VirtualBox and Microsoft Hyper-V virtualization platforms as well.

Microsoft Active Directory is also an optional requirement and it is possible to configure WWPass EAS without access to Active Directory servers.

Should you have any questions about WWPass EAS, please contact WWPass support at support@wwpass.com

Related Documentation#

Here is a list of all documentation which was used:

CHAPTER 2 – REQUIREMENTS#

Below is the list of requirements for the WWPass EAS Virtual Appliance for VMware Horizon View (RADIUS based).

Virtual Machine deployment Requirements#

  • CPU - 1 or more
  • Memory - 512 Mb or more
  • Disc size - 2 Gb or more
  • Network interfaces - 1 or more
  • VMware vSphere ESXi - 4.0 or later
  • VMware Horizon View Connection Server - 5.1 or later
  • WWPass Service Provider certificates - contact WWPass by phone or email at support@wwpass.com

User computers Requirements#

  • Operating System - Microsoft Windows 7 or later (32-bit and 64-bit)
  • Web Browser
    • Internet Explorer - 9 or later (32-bit and 64-bit)
    • Firefox - 20 or later
  • VMware Horizon Client - 5.1 or later
  • WWPass Security Pack - 3.3 or later
  • WWPass Key - activated

CHAPTER 3 – IMPORT / DEPLOY AN OVF TEMPLATE TO A VIRTUAL MACHINE#

To import / deploy an OVF Template to a Virtual Machine VMware vSphere Client is used:

  1. Open File tab on the top menu and select Deploy OVF Template.

    vSphere Client

  2. Click Button Browse

    Deploy OVF Template

  3. Find the wwpass-eas.ovf file on your computer. Select the file and click Button Open Click Button Next

    Deploy OVF Template

  4. Read the details and click Button Next

    Deploy OVF Template

  5. Enter the new VM name. For example, wwpass-eas . Click Button Next

    Deploy OVF Template

  6. Select the host or cluster on which the deployed template will be running. Click Button Next If you are connected to hypervisor as opposed to vCenter Server this screen will be absent.

    Deploy OVF Template

  7. Keep the default format for the new VM to use. Click Button Next

    Deploy OVF Template

  8. Select the networks the VM to use. Click Button Next

    Deploy OVF Template

  9. Read the summary and click Button Finish

    Deploy OVF Template

  10. Please, wait. When the VM is successfully deployed, click Button Close

    Deploying wwpass-eas

    Deployment Completed Successfully

  1. Select the deployed VM in the left menu.

    vSphere Client

  2. Right-click on the VM and select Open Console in the menu.

    vSphere Client

  3. Click Power On Button Play

    wwpass-eas on vmesxi.vm.local

  4. Please, wait while booting.

    wwpass-eas on vmesxi.vm.local

  5. Enter username admin and password Qwerty1234%

    wwpass-eas on vmesxi.vm.local

    For security reasons it is recommended to change the default password of "admin" user during initial setup. In order to do this perform the following steps:

  • log in to the virtual machine using the default password;
  • run "passwd" command;
  • enter the default password;
  • enter a new password;
  • re-enter the new password to make sure that there is no typos.
  1. VM is successfully deployed.

    wwpass-eas on vmesxi.vm.local

CHAPTER 4 – SERVER CONFIGURATION#

To configure a server, use any text editor, for example vi. Please refer to comments in the configuration files for guidance.

Icon NoteNote: To quit vi and save the contents of the buffer to the file that vi is being used to edit press Esc to leave Insert mode and enter command: ZZ or :wq

Network configuration#

  1. Enter command: sudo vi /etc/hostname

    wwpass-eas on vmesxi.vm.local

  2. Enter the administrator password: Qwerty1234% or whatever it is changed to.

    wwpass-eas on vmesxi.vm.local

  3. Enter the hostname, for example, wwpass-eas. Save and quit vi.

    wwpass-eas on vmesxi.vm.local

  4. Enter command: sudo vi /etc/hosts

    wwpass-eas on vmesxi.vm.local

  5. Enter the hostname, for example, wwpass-eas. Save and quit vi.

    wwpass-eas on vmesxi.vm.local

  6. Enter command: sudo vi /etc/network/interfaces

    wwpass-eas on vmesxi.vm.local

  7. Configure network interfaces, specifying the network addresses for your virtual server. Save and quit vi.

    wwpass-eas on vmesxi.vm.local

AD interface configuratuion#

  1. Enter command: sudo vi /etc/samba/lmhosts

    wwpass-eas on vmesxi.vm.local

  2. Specify your domain name in capital letters. Save and quit vi.

    wwpass-eas on vmesxi.vm.local

  3. Enter command: sudo net rpc join -U administrator

    wwpass-eas on vmesxi.vm.local

  4. Enter domain administrator’s password. Make sure you successfully joined the desired domain.

    wwpass-eas on vmesxi.vm.local

FreeRADIUS server configuration#

  1. Enter command: sudo vi /etc/freeradius/clients.conf

    wwpass-eas on vmesxi.vm.local

  2. Change RADIUS secret for localhost access and remember it.#

    wwpass-eas on vmesxi.vm.local

    Scroll the configuration file to the bottom. Add as many RADIUS authenticators as you need. Save and quit vi.

    wwpass-eas on vmesxi.vm.local

  3. Enter command: sudo shutdown -r now Wait for the reboot.

    wwpass-eas on vmesxi.vm.local

  4. Enter username admin and the administrator password Qwerty1234% or whatever it is changed to.

    wwpass-eas on vmesxi.vm.local

  5. Put your WWPass Service Provider certificate and key files on the radius server virtual machine. Copy private key file your_company.com.key to /etc/ssl/private directory and certificate file your_company.com.crt to /etc/ssl/certs.

  6. Enter command: sudo vi /etc/wwpass/rhelper.conf

    wwpass-eas on vmesxi.vm.local

  7. Set correct paths and filenames of the key and certificate files.

    wwpass-eas on vmesxi.vm.local

  8. To turn off access code verification during WWPass authentications through RADIUS or on Web Control Panel, uncomment the corresponding lines and set:

  • use_access_code=False

  • use_access_code_cp=False (Turned on by default)

    wwpass-eas on vmesxi.vm.local

  1. Scroll the configuration file to the bottom. Specify radius_secret parameter according to your RADIUS server settings set in step 2 of server configuration. Save and quit vi.

    wwpass-eas on vmesxi.vm.local

  2. Enter command: sudo restart wwpass-radius-helper Icon NoteNote: Every time the rhelper.conf is changed you should restart the service with this command.

    wwpass-eas on vmesxi.vm.local

  3. Enter command: sudo shutdown -r now Wait unitl the server is rebooted.

    wwpass-eas on vmesxi.vm.local

  4. Check winbind demo functionality with the command: sudo wbinfo -p Message will appear that ping to winbindd succeeded.

    wwpass-eas on vmesxi.vm.local

  5. Check winbind demo trust functionality with the command: sudo wbinfo -t Message will appear that checking the trust secret for domain via RPC calls succeeded.

    wwpass-eas on vmesxi.vm.local

Update of wwpass-radius-helper package#

  1. Enter command: sudo apt-get update

    wwpass-eas on vmesxi.vm.local

  2. Please, wait for results.

    wwpass-eas on vmesxi.vm.local

  3. Enter command: sudo apt-cache policy wwpass-radius-helper

    wwpass-eas on vmesxi.vm.local

  4. Current version and possible candidate for update will be shown.

    wwpass-eas on vmesxi.vm.local

  5. To update the package, enter command: sudo apt-get install wwradius-helper

    wwpass-eas on vmesxi.vm.local

  6. Please, wait for results. Package is successfully updated.

    wwpass-eas on vmesxi.vm.local

CHAPTER 5 – RADIUS SERVER: ADDING ADMINISTRATOR AND USER ACCOUNTS#

To complete RADIUS server initial setup assign RADIUS administrators and users rights to Active Directory members and bind a WWPass Key to each of them.

Icon NoteNote: All users should be already registered in Active Directory and Radius and have activated WWPass Keys.

Icon NoteNote: WWPass Security Pack should be installed on administrators and users’ computers (see requirements section above).

To register the first administrator#

  1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

    Internet Explorer

  2. Present a WWPass Key to bind with the first server administrator account.

    Internet Explorer

  3. Click Button Yes to confirm authentication.

    Internet Explorer

  4. Enter WWPass access code and click Button OK

    Internet Explorer

  5. Enter the RADIUS username and password of the first administrator. Click Button Register First Administrator

    Internet Explorer

  6. The first administrator account was registered and bound with a WWPass Key. Click Link Proceed and register users.

    Internet Explorer

To register users#

  1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

    Internet Explorer

  2. Present the administrator’s WWPass Key to authenticate.

    Internet Explorer

  3. Click Button Yes to confirm authentication.

    Internet Explorer

  4. Enter WWPass access code and click Button OK

    Internet Explorer

  5. Enter new user’s username to register. Click Button Add User

    Internet Explorer

  6. Copy the link and send it to the user. The link is valid for 30 minutes or until server is restarted. Click Button Close

    Internet Explorer

  7. You can add more users and see the list of all registered users and pending binds which should be completed on end-users side.

    Internet Explorer

To complete registration on end-users side#

  1. Open the received URL in Internet Explorer.

    Internet Explorer

  2. Present a WWPass Key to bind with the user’s account.

    Internet Explorer

  3. Click Button Yes to confirm authentication.

    Internet Explorer

  4. Enter WWPass access code and click Button OK

    Internet Explorer

  5. Enter the user’s Active Directory password and click Button Register

    Internet Explorer

  6. User’s account is successfully registered and bound to the WWPass Key.

    Internet Explorer

To assign or remove administrator rights of a registered user#

  1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

    Internet Explorer

  2. Present the administrator’s WWPass Key to authenticate.

    Internet Explorer

  3. Click Button Yes to confirm authentication.

    Internet Explorer

  4. Enter WWPass access code and click Button OK

    Internet Explorer

  5. Сlick Button Set to assign administrator rights to the already registered user.

    Internet Explorer

  6. Сlick Button Unset to remove administrator rights from the already registered user.

    Internet Explorer

To delete user#

  1. Open Internet Explorer. Enter RADIUS server IP address, followed by port number 8080.

    Internet Explorer

  2. Present the administrator’s WWPass Key to authenticate.

    Internet Explorer

  3. Click Button Yes to confirm authentication.

    Internet Explorer

  4. Enter WWPass access code and click Button OK

    Internet Explorer

  5. Select the user you want to delete and click Button Delete User

    Internet Explorer

CHAPTER 6 – VMWARE CONFIGURATION: SETTING UP RADIUS AUTHENTICATION#

To customize RADIUS authentication, open VMware View Administrator in your web browser (Internet Explorer is recommended).

  1. Expand View Configuration section in the left menu.

    VMware View Administrator

  2. Select Servers in the left menu and open Connection Servers tab in the right pane.

    VMware View Administrator

  3. Select the server to customize and click Button Edit

    VMware View Administrator

  4. Open Authentication tab.

    VMware View Administrator

  5. Under Advance Authentication, select RADIUS from the 2-factor authentication option.

    VMware View Administrator

  6. For the Authenticator option, select Create New Authenticator.

    VMware View Administrator

  7. Specify the following parameters:

  • Label that will be shown to clients;

  • Hostname/Address of the WWPass EAS server;

  • PAP as authentication type;

  • Shared RADIUS secret for localhost access set during RADIUS server configuration. Click Button Next

    VMware View Administrator

  1. Click Button Finish

    VMware View Administrator

  2. Click Button OK

    VMware View Administrator

CHAPTER 7 – RCLIENT USER MANUAL#

WWPass RClient (RADIUS Client) is a desktop application which provides WWPass authentication for software that does not support WWPass out of the box. RClient authenticates the user and starts one of the supported third-party applications, effectively replacing its username and password based authentication. RClient supports VMware Horizon View Client, Fortinet FortiGate and OpenVPN, and contains built-in configuration profiles for these applications.

Add connection#

To add a connection to RClient:

  1. Click Button Add

    WWPass RClient

  2. Enter connection name.

    WWPass RClient Add Connection

  3. Select the VMware Horizon View Client as an application to connect to.

    WWPass RClient Add Connection

  4. Enter WWPass EAS Hostname and VMware Connection Server Hostname with proper ports.

    WWPass RClient Add Connection

  5. Click Button Save

    WWPass RClient Add Connection

  6. The created connection will be shown in the list of connections.

    WWPass RClient

Edit connection settings#

To edit connection settings:

  1. Select the connection in the list by clicking on it.

    WWPass RClient

  2. Click Button Edit

    WWPass RClient

  3. Change all parameters required.

    WWPass RClient Add Connection

  4. Click Button Save

    WWPass RClient Add Connection

Establish connection#

To establish connection:

  1. Select the connection from the list by clicking on it.

    WWPass RClient

  2. Click to Button Connect

    WWPass RClient

  3. To approve authentication click Button Yes

    WWPass RClient

  4. Enter WWPass access code and click Button OK

    WWPass RClient

  5. VPN connection is successfully established.

    WWPass RClient

Unbind account#

To unbind your WWPass account from RADIUS account:

  1. Select the connection from the list by clicking on it.

    WWPass RClient

  2. Click to Button Unbind

    WWPass RClient

  3. To confirm binding removal click Button Yes

    WWPass RClient

  4. To approve authentication click Button Yes

    WWPass RClient

  5. Enter WWPass access code and click Button OK

    WWPass RClient

  6. Your WWPass account is successfully unbound from RADIUS account.

    WWPass RClient

Remove connection#

To remove connection from the list:

  1. Select the connection from the list by clicking on it.

    WWPass RClient

  2. Click Button Remove

    WWPass RClient Add Connection

  3. To confirm connection removal click Button Yes

    WWPass RClient Add Connection

  4. The connection is successfully removed from the list.

    WWPass RClient Add Connection

Exit from RClient#

To exit from the RClient you can use either of the following ways:

  • Click Button Exit

  • Click the X button at the top of RClient

    WWPass RClient Add Connection