In vRealize Automation 7.X VMware Identity Manager (vIDM) was embedded in vRealize Automation Appliance, even though the UI for vIDM is disabled however we can still use the capability of vRealize Automation to Authenticate using a RADIUS server. There is a very informative VMware blog on Configuring vRA 7 for 2 Factor Authentication posted by Jon Schulman back in February 2016 but a few things have changed since then.

I had to configure Two Factor Authentication for one the customers, this was when i realized that there are few modification which are required to configure Two-Factor Authentication in vRA. In order to provide a brief overview, we will be using a Ubuntu Machine to install and will install Google Authenticator and RADIUS server on this machine. Ubuntu machine will integrate with Active Directory for Authentication and then we will configure vRealize Automation to use RADIUSAuthAdapter to Authenticate users with “AD Password + Google Authenticator Passcode”.

Configuring Two-Factor Authentication:

Pre-requisites:

1. 1 Ubuntu 18.04.3 VM
2. VM should have minimum of 2 vCPUs and 4 GB RAM
3. Active Directory
4. vRealize Automation 7.X
5. DNS Record for Ubuntu Machine

1. Configure Ubuntu Machine:

I am using an Ubuntu VM of 2 vCPUs, 4 GB Memory and 20 GB HDD for this Demo.

Patch/Update the Ubuntu machine and Install open-vm-tools using the below commands:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install open-vm-tools

Install NTP and Open-SSH on the Ubuntu machine using the below commands:

sudo apt-get install ntp
sudo apt-get install openssh-server

Now would be a good time to verify DNS resolution for Active Directory and vRealize Automation.

Download and Install latest PowerBroker Identity Services package pbis-open-9.1.0.551.linux.x86_64.deb.sh from BeyondTrust Github repo:

sudo ./Desktop/pbis-open-9.1.0.551.linux.x86_64.deb.sh

Once the Power Broker Identity Services has been installed, there is one more thing that we need to do before we add Ubuntu machine to Active Directory. We need to uninstall Avahi daemon:

sudo apt-get remove avahi-daemon

Now we can add our Ubuntu machine to Active Directory using the below command:

sudo /opt/pbis/bin/domainjoin-cli join vmlab.local administrator@vmlab.local

After you have successfully joined the system to Active Directory, login to Active Directory and verify that the Computer Object has been created.

Reboot your Ubuntu machine. Once the machine has been restarted, you should be able to login to the machine using Active Directory Credentials.

Now we will setup the Default Domain, Home Directory and Shortname for our Active Directory Domain in the Ubuntu server by running the below commands:

sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
sudo /opt/pbis/bin/config UserDomainPrefix VMLAB

Now we need to add the below mentioned lines to /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file to allow users to login to Ubuntu machine using Active Directory Credentials on Ubuntu login screen:

sudo nano /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf

allow-guest=false
greeter-show-manual-login=true

Install Freeradius Server on your Ubuntu machine using the below command:

sudo apt install freeradius

Edit the file /etc/freeradius/3.0/radiusd.conf and replace the below entries:
Replace:
user = freerad
group = freerad

With:
user = root
group = root

Run the below command to enable PAM modules:
ln -sf /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam

Comment out all the lines in the file /etc/pam.d/radiusd and add the below lines:

auth requisite pam_google_authenticator.so forward_pass
account required pam_lsass.so use_first_pass

Add the below entry to the file /etc/freeradius/3.0/users:

DEFAULT Auth-Type := PAM

Modify the file /etc/freeradius/3.0/clients.conf to make an entry for vRealize Automation server in the Ubuntu machine:

client vra76.vmlab.local {
ipaddr = 192.168.0.55
secret = VMwar31!
shortname = vra76
}

Edit the file and uncomment pam to enable Pluggable Authentication Modules in file /etc/freeradius/3.0/sites-enabled/default:

Restart FREEARDIUS service:

2. Install Google Authenticator:

Once your machine has been setup to Authenticate using Active Directory, we will proceed with installing Google Authenticator and generate Google Authenticator Token to generate Passcodes using Google Authenticator Mobile Application:

Use the below command to install Google Authenticator:

sudo apt install libpam-google-authenticator

We can now begin enabling our Active Directory users to start enrolling for Google Authenticator Application on their Mobile phones. Advise the users to login to the respective App Stores (Google Playstore & Apple’s App Store) to download and Install Google Authenticator App.

Assume the Identity of the user you want to enable for login and run the command google-authenticator:

su demo@vmlab.local
google-authenticator

Type y to generate a time-based token and a QR Code and Secret Key will be generated for th user. User can scan the QR code using Google Authenticator App or User can enter the Secret Key to import the tokwn in the App:

There are 5 Emergency Scracth codes which are generated for the user to use when user wants to Authenticate but does not have Mobile phone handy with him/her.
These codes are one-time codes and answer the below questions as per your environment. I would recommend answering the 3rd question as “yes”, as it will allow the users to use a token for upto 4 minutes otherwise the each token expires within 30 seconds.

Google Authenticator doesn’t allow you to take a screenshot of an actie token hence the image but a successfully imported token in Google Authenticator looks like this:

3. Configure vRealize Automation to Authenticate using Radius:

Login to vRealize Automation with Tenant Administrator credentials and click on the Connector under Directories Management section:

Click on the Auth Adapters and click on the RadiusAuthAdapter to enable Radius Authentication.

Enable Radius Adapter and enter the details of the Ubuntu machine, set the Authentication Type as PAP, you can enter Number of attemps to Radius server and Time out values as per your requirement and enter the shortname for your domain followed by a Backslash “\”:

If you want to enable High Availability, you can setup another Ubuntu machine in a similar fashion but for our demo we will not be enabling Secondary server. Click on Save to save the settings and enable the Radius Auth Adapter. Enter the Passphrase hint to provide users information about entering Password followed by Passphrase.

Click on Network Ranges and create a new Network range, All clients which are using the IP addresses of this range will be required to authenticate using Password + Passcode (Two-Factor Authentication). If you are using a Distributed vRealize Automation Deployment, Start and End IP Address of the Network Range should be the vRA Portal VIP:

Now the last step in the configuration is to setup a Policy Rule to enforce Radius Authentication. Create a Policy Rule by selecting the newly created Network Range, select All Device Types to access the content from and select the Authentication method as Radius and click on Ok.

Drag and drop the newly created Network Range to the top of the list and click Save to save the configuration:

Now when you’ll attempt to login to vRealize Automation portal using a client with the IP Address defined in the Network Range, you’ll prompted with the new Passphrase hint:

In order to login to vRA portal, enter your Password followed by the Google Authenticator Passphrase:

BOOM!!, you have managed to configure Two-Factor Authentication for vRealize Automation.