Horizon View

VMware Horizon UAG OKTA RADIUS configuration

VMware Horizon UAG OKTA RADIUS configuration step-by-step. A walkthrough of setting up OKTA RADIUS

When standing up a VMware Horizon production environment, you must think about securing the perimeter for end-users. We all know that passwords are one of the weakest links in your overall cybersecurity scheme. Multi-factor authentication with the very common two-factor authentication is a great way to bolster the security of any environment, including VMware Horizon. In a previous post, I walked through how to configure Duo two-factor authentication with VMware Horizon. This post will look at VMware Horizon UAG OKTA RADIUS configuration to show how to configure a box to host OKTA on-premise that serves as a RADIUS server, enabling two-factor authentication using OKTA.

VMware Horizon UAG OKTA RADIUS configuration

There are a couple of different ways you can configure VMware Horizon UAG boxes for two-factor authentication with OKTA. You can use either SAML or RADIUS. There is a really great VMware Techzone article that walks you through the steps to configure VMware Horizon with OKTA using a SAML config. The link to that article is here:

SAML is the more fully featured implementation with OKTA and provides benefits over RADIUS. However, many are comfortable and familiar with RADIUS configurations and this method works quite well with OKTA. Configuring the RADIUS application on the OKTA side is easier than SAML since the VMware Horizon RADIUS prebuilt application is already found in the OKTA apps “marketplace.”

The configuration for RADIUS on the VMware Horizon UAG side is straightforward and simply involves pointing the UAG to the RADIUS box and entering the shared secret key. There are two components that you need to install for the OKTA RADIUS configuration:

  • OKTA AD Agent – This component syncs your on-premises Active Directory users to your OKTA environment. It provides the means to import users to OKTA
  • OKTA RADIUS Agent – This component provides the RADIUS server listener that your VMware Horizon UAG boxes connect to for RADIUS. You will note the RADIUS configuration on the OKTA agent is very simplistic. You can basically configure the port and the shared secret. The RADIUS server talks to the OKTA API endpoint for your OKTA subdomain.

These can both be installed on the same Windows Server if you want to consolidate resources, however, it is best practice to have multiple OKTA AD Agent installs in your environment for high availability.

Installing the OKTA AD Agent

The OKTA AD Agent is a lightweight agent that you can install on a Windows Server. There are minimal things to configure during the install, however, you want to pay attention to the details.

Beginning-the-installation-of-the-OKTA-AD-Agent
Beginning the installation of the OKTA AD Agent
Choosing-the-installation-folder-for-the-OKTA-AD-Agent
Choosing the installation folder for the OKTA AD Agent

Select the on-premises domain that you want to manage with the OKTA AD Agent.

Choose-your-on-premises-Active-Directory-domain
Choose your on-premises Active Directory domain

The next step involves configuring the OKTA Windows Service Account for use with the AD Agent.

Configure-the-OKTA-AD-Agent-service-account
Configure the OKTA AD Agent service account

Set the password for the OKTA service account.

Configure-a-password-for-the-OKTA-AD-Agent-service-account
Configure a password for the OKTA AD Agent service account

If you use a proxy server, you can configure this connection next.

Proxy-server-configuration-if-needed
Proxy server configuration if needed

Select the environment you want to use for the OKTA AD Agent. Then, enter your subdomain. For most, this will be production.

Register-the-OKTA-agent-with-your-OKTA-subdomain-1
Register the OKTA agent with your OKTA subdomain

You will see a browser open and prompt you to sign in with your OKTA admin account.

Prompt-to-login-to-your-OKTA-site-with-admin-credentials-to-register-the-agent-1
Prompt to login to your OKTA site with admin credentials to register the agent

After signing in, you will need to grant permissions to the AD Agent for installation and integration with your OKTA universal directory.

Grant-access-to-the-OKTA-AD-Agent
Grant access to the OKTA AD Agent

The installation of the AD Agent completes successfully.

Finalize-the-installation-of-the-OKTA-AD-Agent
Finalize the installation of the OKTA AD Agent

Installing the OKTA RADIUS Agent

I am installing the OKTA RADIUS Agent on the same Windows Server 2019 server as I have the OKTA AD Agent installed. However, for production and traffic purposes, you will most likely want to split these roles between different servers.

Beginning-the-installation-of-the-OKTA-RADIUS-agent-1
Beginning the installation of the OKTA RADIUS agent

You will note some important details here:

  • Supports password authentication protocol (PAP)
  • Delegates authentication to Okta
  • Installs as a Windows services
  • Includes Multi-factor authentication (MFA)
Important-information-regarding-the-OKTA-RADIUS-Agent
Important information regarding the OKTA RADIUS Agent

Prompt for the EULA.

Accepting-the-EULA-for-the-RADIUS-Agent
Accepting the EULA for the RADIUS Agent
Configuring-the-installation-folder-for-the-OKTA-RADIUS-Agent
Configuring the installation folder for the OKTA RADIUS Agent

Enter your RADIUS Shared secret key and configure the port.

Setting-the-shared-secret-and-RADIUS-port-for-the-OKTA-RADIUS-Agent
Setting the shared secret and RADIUS port for the OKTA RADIUS Agent

Configure a proxy server if needed for connectivity.

Configure-a-proxy-server-if-needed-for-the-OKTA-RADIUS-Agent-installation
Configure a proxy server if needed for the OKTA RADIUS Agent installation

Choose which environment you want to integrate with OKTA and enter your subdomain.

Enter-your-customer-domain-to-register-the-OKTA-RADIUS-Agent
Enter your customer domain to register the OKTA RADIUS Agent

Sign i”n to the OKTA service with your OKTA admin user.

Signin-to-OKTA-to-finish-registering-the-OKTA-RADIUS-Agent
Signin to OKTA to finish registering the OKTA RADIUS Agent

Grant permissions to the RADIUS server agent.

Grant-access-to-the-OKTA-RADIUS-Agent
Grant access to the OKTA RADIUS Agent

OKTA RADIUS server agent completes successfully.

Installation-of-the-OKTA-RADIUS-Agent-completes
Installation of the OKTA RADIUS Agent completes

In case you are wondering what options you have with the OKTA RADIUS Server, they are extremely limited. It is basically a passthrough for authenticating against the VMware Horizon RADIUS application which we will configure next.

OKTA-RADIUS-Agent-console
OKTA RADIUS Agent console

Adding the OKTA VMware Horizon RADIUS Application

Next, we need to add the OKTA VMware Horizon RADIUS application to the OKTA account. The OKTA RADIUS application for VMware Horizon provides the target for the RADIUS Agent that exists on-premises and it is the means by which you can assign users to your VMware Horizon environment. Let’s walkthrough adding the application. Navigate to Applications > Add Application.

Adding-an-application-in-OKTA
Adding an application in OKTA

Search for VMware Horizon and you will see VMware Horizon View (RADIUS).

Search-for-VMware-Horizon-to-find-the-VMware-Horizon-RADIUS-application-1
Search for VMware Horizon to find the VMware Horizon RADIUS application

Click Add.

Add-the-VMware-Horizon-View-RADIUS-application
Add the VMware Horizon View RADIUS application

Name the application.

Name-your-VMware-Horizon-RADIUS-application-for-OKTA
Name your VMware Horizon RADIUS application for OKTA

Under the Sign-On Options tab for the application, make sure to enter the same shared secret key as you did when configuring the RADIUS agent on-premises.

Configure-the-sign-on-options-including-the-RADIUS-port-and-shared-secret-key
Configure the sign-on options including the RADIUS port and shared secret key

Now, you just need to assign users to your VMware Horizon RADIUS application. Click the Assign button. You will select to assign People or Groups.

Assign-users-to-the-OKTA-VMware-Horizon-RADIUS-application
Assign users to the OKTA VMware Horizon RADIUS application

Select the users you want to assign to the application.

Choose-the-users-you-want-to-assign-to-the-VMware-Horizon-application
Choose the users you want to assign to the VMware Horizon application

Click Save and Go Back.

Assigning-the-user-to-the-application
Assigning the user to the application

Under assignments, you should see the user listed.

Viewing-the-assignments-for-the-VMware-Horizon-RADIUS-application
Viewing the assignments for the VMware Horizon RADIUS application

Now, we just need to configure the VMware Horizon UAG RADIUS settings to point to the on-premises OKTA RADIUS Agent.

Configure VMware Horizon UAG RADIUS settings

Under the Authentication Settings of the VMware Horizon UAG admin interface, edit your RADIUS settings.

Configure-VMware-Horizon-UAG-RADIUS-authentication-settings
Configure VMware Horizon UAG RADIUS authentication settings

Under the RADIUS settings, choose PAP, set the shared secret, RADIUS Server Host name, and port.

Configure-authentication-type-RADIUS-port-and-shared-secret
Configure authentication type RADIUS port and shared secret

After configuring the RADIUS settings, you then just need to set your Edge Services configuration for Horizon to use RADIUS in the Auth Methods.

Configure-the-Edge-Services-for-the-Horizon-Connection-Server-to-use-RADIUS
Configure the Edge Services for the Horizon Connection Server to use RADIUS

Hopefully this walkthrough will help anyone who may be struggling to put the pieces and parts together with OKTA and RADIUS authentication for enabling two-factor authentication with VMware Horizon. Setting this up is fairly straightforward. Adding two-factor authentication to your VMware Horizon login process greatly bolsters the overall security of your Horizon environment.

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.