June 7, 2012 - Sven Huisman

Configure Cryptocard radius with VMware View 5.1

One of the new features of VMware View 5.1 is the ability to use 2-factor authentication using RADIUS. During the beta of VMware View 5.1 I’ve tested Cryptocard (now part of SafeNet) and in this post I describe how it works. I’ve tested using a challenge-response (using SMS token) and using a one-time passcode (generated by a token).

Challenge-response (using SMS token)

First I’m going to test 2-factor authentication using a challenge-response using an SMS token. Challenge-response means that the user first needs to enter their active directory credentials against the radius server (challenge). After that, the user will receive a code (response). The code needs to be entered in the next field.

Assuming you have configured the Cryptocard Blackshield server and Radius, I’m going to configure the View Connection Server. Go to the View Connection Server settings > Authentication:

 

1

Select RADIUS and create a new Authenticator:

2

Fill in the required fields:

9-3-2012 14-10-45

Now it’s time to test the connection:

3

So the first thing you notice is that the VMware View client is asking for the “Cryptocard” user name and passcode. But in fact, you have to enter your Active Directory credentials. This is how the RADIUS-feature works in this release of VMware View. It is not possible to adjust this text or these labels, or let the RADIUS respond with the correct fields. Hopefully, this will be added in the next release.

After you entered your Active Directory credentials, you get the next field, the response field. Now it’s time to enter your SMS-code you received:

4

After this, you are logged on and ready to select a desktop.

One-time passcode

Now it’s time to test VMware View with a One-time passcode. In this test, I used a KT4 token:

keyfob-tokens-kt4

First, configure the View Connection Server. Go to the View Connection Server settings > Authentication:

9-3-2012 14-11-41

I use the “Cryptocard” authenticator I created earlier and checked “Enforce 2-factor and Windows user name matching and “Use same username and password for RADIUS and Windows authentication.

Now it’s time to test the connection:

crypto-kt4-view51

As you can see, the user name and passcode fields are this time correct, you will have to enter your username and the one-time passcode from the token. Then you will see the next login-screen:

crypto-kt4-view51-2

Here you will have to enter your Active Directory password. After you entered your password, you will be presented with the desktop pools you are entitled to.

Conclusion: 2-factor authentication using Cryptocard works, VMware View needs some work to correctly work with challenge-response.

Virtual Desktop Cryptocard / RADIUS / View / VMware / VMware View 5.1 /

Comments

  • Frank Z says:

    Thx Sven, great info!

  • bahare says:

    hello dear
    i configuere radiuse server 2008 on a server wich joined to my domain
    my radiuse server has ip 10.10.10.33,and i add in to vmware manager
    but when i want to use vmclient to coonect t to the forexample vmmanager with administrators credentioal it show me access denyt?
    please help me
    thank you.