Hello Stephan - What you show below does not look like a typical RADIUS authentication request.
First of all it has a Service-Type = Voice, then it only has MS-Machine-Name = “hostname.something”. I am guessing this is some sort of preliminary host authentication, after which there may be some user authentication. hope that helps regards Hugh > On 15 Jul 2017, at 03:16, s.schw...@lumc.nl wrote: > > Hi, > > I was wondering if the following should/could work and if anyone has any > experience setting it up. I spend some hours on it but haven’t managed to get > it to work so far… > > I have a windows terminal server/remote desktop services gateway, which is a > MS product for proxying RDP over a tunneled connection using TLS. > This is built on top of IIS/NPS. NPS is used for the authentication part. > Functionality wise, RDS GW provides exactly what I want, allowing a tunneled > RDP connection over 443 to resources I define on the GW server per user/group. > The user will have to provide a username and password to create the tunnel to > the RDS GW, however by default it uses local authentication (active > directory). It’s possible to configure NPS to forward it’s authentication > requests to a RADIUS server, so I figured if I do that I can use some other > form of authentication for creating the tunnel like some form of OTP. Whether > it be RSA, TOTP, HOTP or Yubikey and possibly other things I haven’t thought > of. > > However once I do this, in my RADIUS server I receive the following error > once I try to authenticate. I figurd I’d test out LSA first, and once I have > that working I’d work on getting OTP’s working > > Mon Jul 10 03:36:41 2017: DEBUG: Packet dump: > *** Received from 172.16.0.3 port 55428 .... > Code: Access-Request > Identifier: 2 > Authentic: <212><215><195><163><28><225><128><240><145>U[<219><239>BdV > Attributes: > Service-Type = Voice > User-Name = "domain\username" > Called-Station-Id = "UserAuthType:PW" > MS-Machine-Name = "hostname.something" > MS-Network-Access-Server-Type = Terminal-Server-Gateway > NAS-Port-Type = Virtual > Proxy-State = > <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2> > > Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler > 'Client-Identifier = From_NPS', Identifier 'Default' > Mon Jul 10 03:36:41 2017: DEBUG: Deleting session for domain\username, > 172.16.0.3, > Mon Jul 10 03:36:41 2017: DEBUG: Handling with Radius::AuthLSA: > Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT, Authentication > protocol Unknown not allowed by AuthenProto configuration parameter > Mon Jul 10 03:36:41 2017: INFO: Access rejected for domain\username: > Authentication protocol Unknown not allowed by AuthenProto configuration > parameter > Mon Jul 10 03:36:41 2017: DEBUG: Packet dump: > *** Sending to 172.16.0.3 port 55428 .... > Code: Access-Reject > Identifier: 2 > Authentic: <168><196>1<151><190>*<174><132><177>*l<209>\NT~ > Attributes: > Reply-Message = "Request Denied" > Proxy-State = > <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2> > > > I tried the following handler for LSA auth: > <Handler Client-Identifier = From_NPS> > Identifier Default > <AuthBy LSA> > Domain domainname > UsernameMatchesWithoutRealm > </AuthBy> > AuthLog Logfile_Dev > AcctLogFileName %L/Dev_detail_%Y-%m-%d.log > </Handler> > > Any pointers would be appreciated. > It should be possible, since for example this guide shows how to do it with > WikiD > http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/. > But I rather use 1 product instead of various products to achieve the same > result.. > > We do actually have Azure MFA which can be used for this, but I actually > don’t want to use it for this scenario. > > > Kind regards, > > Stephan Schwarz > Senior Security Administrator | Leiden University Medical Center > > <image001.png> > Tel.: +31 (0)71-526-1822 > Email: s.schw...@lumc.nl > > > _______________________________________________ > radiator mailing list > email@example.com > http://lists.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list firstname.lastname@example.org http://lists.open.com.au/mailman/listinfo/radiator