Hi Hugh,

Nah, there's no kind of machine authentication. It passes along the machine 
name purely for accounting information actually.
With a regular RDP client, when you enable the gateway option, you have 2 
options to authenticate to the gateway either smartcard (suppose I could go 
this route if I can't get RADIUS working) or username/password with NTLM.
This would cause me to have to enter 2 sets of credentials in a row.
Once to authenticate and establish a tunnel to the proxy. And the second 
credential screen that shows up is for the credentials to connect to the remote 

You actually see the username that's sent for the authentication request under 
the Service-Type attribute.
> Attributes:
>                 Service-Type = Voice
>                 User-Name = "domain\username"

-----Original Message-----
From: Hugh Irvine [mailto:h...@open.com.au] 
Sent: Saturday, July 15, 2017 7:38 AM
To: Schwarz, S. (ICT) <s.schw...@lumc.nl>
Cc: radia...@open.com.au
Subject: Re: [RADIATOR] Using RADIUS with RDS Gateway

Hello Stephan -

What you show below does not look like a typical RADIUS authentication request.

First of all it has a Service-Type = Voice, then it only has MS-Machine-Name = 

I am guessing this is some sort of preliminary host authentication, after which 
there may be some user authentication.

hope that helps



> On 15 Jul 2017, at 03:16, s.schw...@lumc.nl wrote:
> Hi,
> I was wondering if the following should/could work and if anyone has 
> any experience setting it up. I spend some hours on it but haven’t 
> managed to get it to work so far…
> I have a  windows terminal server/remote desktop services gateway, which is a 
> MS product for proxying RDP over a tunneled connection using TLS.
> This is built on top of IIS/NPS. NPS is used for the authentication part.
> Functionality wise, RDS GW provides exactly what I want, allowing a tunneled 
> RDP connection over 443 to resources I define on the GW server per user/group.
> The user will have to provide a username and password to create the tunnel to 
> the RDS GW, however by default it uses local authentication (active 
> directory). It’s possible to configure NPS to forward it’s authentication 
> requests to a RADIUS server, so I figured if I do that I can use some other 
> form of authentication for creating the tunnel like some form of OTP. Whether 
> it be RSA, TOTP, HOTP or Yubikey and possibly other things I haven’t thought 
> of.
> However once I do this, in my RADIUS server I receive the following 
> error once I try to authenticate. I figurd I’d test out LSA first, and 
> once I have that working I’d work on getting OTP’s working
> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Received from port 55428 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  
> <212><215><195><163><28><225><128><240><145>U[<219><239>BdV
> Attributes:
>                 Service-Type = Voice
>                 User-Name = "domain\username"
>                 Called-Station-Id = "UserAuthType:PW"
>                 MS-Machine-Name = "hostname.something"
>                 MS-Network-Access-Server-Type = Terminal-Server-Gateway
>                 NAS-Port-Type = Virtual
>                 Proxy-State = 
> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
> Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler 
> 'Client-Identifier = From_NPS', Identifier 'Default'
> Mon Jul 10 03:36:41 2017: DEBUG:  Deleting session for 
> domain\username,, Mon Jul 10 03:36:41 2017: DEBUG: Handling with 
> Radius::AuthLSA:
> Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT, 
> Authentication protocol Unknown not allowed by AuthenProto 
> configuration parameter Mon Jul 10 03:36:41 2017: INFO: Access rejected for 
> domain\username: Authentication protocol Unknown not allowed by AuthenProto 
> configuration parameter Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
> *** Sending to port 55428 ....
> Code:       Access-Reject
> Identifier: 2
> Authentic:  <168><196>1<151><190>*<174><132><177>*l<209>\NT~
> Attributes:
>                 Reply-Message = "Request Denied"
>                 Proxy-State = 
> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
> I tried the following handler for LSA auth:
> <Handler Client-Identifier = From_NPS>
>                 Identifier Default
>                 <AuthBy LSA>
>                                 Domain domainname
>                                 UsernameMatchesWithoutRealm
>                 </AuthBy>
>                 AuthLog                               Logfile_Dev
>                 AcctLogFileName %L/Dev_detail_%Y-%m-%d.log </Handler>
> Any pointers would be appreciated. 
> It should be possible, since for example this guide shows how to do it with 
> WikiD 
> http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/.
> But I rather use 1 product instead of various products to achieve the same 
> result..
> We do actually have Azure MFA which can be used for this, but I actually 
> don’t want to use it for this scenario.
> Kind regards,
> Stephan Schwarz
> Senior Security Administrator | Leiden University Medical Center
> <image001.png>
> Tel.: +31 (0)71-526-1822
> Email: s.schw...@lumc.nl
> _______________________________________________
> radiator mailing list
> radiator@lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator


Hugh Irvine

Radiator: the most portable, flexible and configurable RADIUS server anywhere. 
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, 
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, 
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

radiator mailing list

Reply via email to