Symptoms
You receive 'Access Denied' message when trying to log in from Horizon ClientYou have RADIUS 2FA configured with UAG or Connection ServerYour AD password is expired
Purpose
This article provides troubleshooting steps and identifies the issues with RADIUS Authentication when the user is getting "Access Denied" error.
Cause
When the environment is configured for RADIUS or SecurID 2FA, that authentication must succeed before there is any subsequent interaction with AD. It's true for Connection Server and UAG. The 2FA is mandatory.
With RADIUS, the user enters a username and RADIUS passcode. UAG or Connection Server (depending on where RADIUS auth is configured) sends a RADIUS Access-Request. If it gets a RADIUS Access-Reject response from the RADIUS server it is not permitted to proceed and puts up an Access Denied error. The only allowed responses for it to proceed are an Access-Accept or an Access-Challenge.
Resolution
First check the logs on the RADIUS server to determine what was the response. Also check the RADIUS server to determine how it handles expired passwords.
Note: Please get support from the RADIUS server vendor to configure this correctly.
Some vendors use the RADIUS passcode in the Access-Request as an AD or LDAP password. Some will allow an authentication attempt using an expired password knowing that the user has been authenticated and to allow the user past that for subsequent password change, e.g. through the subsequent password workflow when AD can be contacted.
UAG is normally deployed in a DMZ where often there is no contact with AD. If the RADIUS server rejects the authentication request for any reason, access is denied. That's correct behaviour and the same behaviour with Connection Server.
