RADIUS Multi-Factor Authentication with Cloud Access Manager Deployments¶
Cloud Access Manager supports Multi-Factor Authentication (MFA) for PCoIP client sessions. The Cloud Access Manager MFA implementation is based on the RADIUS protocol. Customers can leverage their existing RADIUS server installation to enable MFA for Cloud Access Manager deployments. When deploying through the Azure Cloud Shell or Microsoft Powershell you can configure MFA by specifying the RADIUS settings which are stored as part of the broker configuration and later are used to initiate an MFA session on behalf of the PCoIP client.
Multi-Factor Authentication Client Support
Cloud Access Manager does not presently support RADIUS MFA with Chrome, iOS and Android clients.
Multi-Factor Authentication Architecture for Cloud Access Manager¶
The Cloud Access Manager broker performs the primary authentication by verifying the user credentials against Active Directory. On a successful primary authentication attempt, the broker/admin UI initiates the secondary authentication to the RADIUS server. The Cloud Access Manager broker currently uses the PAP protocol for authenticating the 2nd factor passcode with the RADIUS server. The PAP protocol is compatible with all major vendors' RADIUS implementations.
The image below outlines the internal and external connection flow for Teradici Cloud Access Manager:
RADIUS Server Configuration
The RADIUS server configuration will need to be updated with the appropriate information, for example the RADIUS client IP, shared secret, 2nd factor only authentication, etc. These details will vary depending on the RADIUS server implementation. If you need assistance with your RADIUS server MFA setup please contact Teradici support.