Hello Stephan -

What you show below does not look like a typical RADIUS authentication request.

First of all it has a Service-Type = Voice, then it only has MS-Machine-Name = 
“hostname.something”.

I am guessing this is some sort of preliminary host authentication, after which 
there may be some user authentication.

hope that helps

regards

Hugh


> On 15 Jul 2017, at 03:16, s.schw...@lumc.nl wrote:
> 
> Hi,
>  
> I was wondering if the following should/could work and if anyone has any 
> experience setting it up. I spend some hours on it but haven’t managed to get 
> it to work so far…
>  
> I have a  windows terminal server/remote desktop services gateway, which is a 
> MS product for proxying RDP over a tunneled connection using TLS.
> This is built on top of IIS/NPS. NPS is used for the authentication part.
> Functionality wise, RDS GW provides exactly what I want, allowing a tunneled 
> RDP connection over 443 to resources I define on the GW server per user/group.
> The user will have to provide a username and password to create the tunnel to 
> the RDS GW, however by default it uses local authentication (active 
> directory). It’s possible to configure NPS to forward it’s authentication 
> requests to a RADIUS server, so I figured if I do that I can use some other 
> form of authentication for creating the tunnel like some form of OTP. Whether 
> it be RSA, TOTP, HOTP or Yubikey and possibly other things I haven’t thought 
> of.
>  
> However once I do this, in my RADIUS server I receive the following error 
> once I try to authenticate. I figurd I’d test out LSA first, and once I have 
> that working I’d work on getting OTP’s working
>  
> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Received from 172.16.0.3 port 55428 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  <212><215><195><163><28><225><128><240><145>U[<219><239>BdV
> Attributes:
>                 Service-Type = Voice
>                 User-Name = "domain\username"
>                 Called-Station-Id = "UserAuthType:PW"
>                 MS-Machine-Name = "hostname.something"
>                 MS-Network-Access-Server-Type = Terminal-Server-Gateway
>                 NAS-Port-Type = Virtual
>                 Proxy-State = 
> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>  
> Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler 
> 'Client-Identifier = From_NPS', Identifier 'Default'
> Mon Jul 10 03:36:41 2017: DEBUG:  Deleting session for domain\username, 
> 172.16.0.3,
> Mon Jul 10 03:36:41 2017: DEBUG: Handling with Radius::AuthLSA:
> Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT, Authentication 
> protocol Unknown not allowed by AuthenProto configuration parameter
> Mon Jul 10 03:36:41 2017: INFO: Access rejected for domain\username: 
> Authentication protocol Unknown not allowed by AuthenProto configuration 
> parameter
> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Sending to 172.16.0.3 port 55428 ....
> Code:       Access-Reject
> Identifier: 2
> Authentic:  <168><196>1<151><190>*<174><132><177>*l<209>\NT~
> Attributes:
>                 Reply-Message = "Request Denied"
>                 Proxy-State = 
> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>  
>  
> I tried the following handler for LSA auth:
> <Handler Client-Identifier = From_NPS>
>                 Identifier Default
>                 <AuthBy LSA>
>                                 Domain domainname
>                                 UsernameMatchesWithoutRealm
>                 </AuthBy>
>                 AuthLog                               Logfile_Dev
>                 AcctLogFileName %L/Dev_detail_%Y-%m-%d.log
> </Handler>
>  
> Any pointers would be appreciated. 
> It should be possible, since for example this guide shows how to do it with 
> WikiD 
> http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/.
> But I rather use 1 product instead of various products to achieve the same 
> result..
>  
> We do actually have Azure MFA which can be used for this, but I actually 
> don’t want to use it for this scenario.
>  
>  
> Kind regards,
>  
> Stephan Schwarz
> Senior Security Administrator | Leiden University Medical Center
>  
> <image001.png>
> Tel.: +31 (0)71-526-1822
> Email: s.schw...@lumc.nl
>  
>  
> _______________________________________________
> radiator mailing list
> radiator@lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to