Hello Stephan -

Yes, but there is no sort of password in the request, so Radiator rejects it.

This:

         Called-Station-Id  = "UserAuthType:PW”

might mean something, but you will need to find out what should happen with it.

regards

Hugh


> On 15 Jul 2017, at 21:46, <s.schw...@lumc.nl> <s.schw...@lumc.nl> wrote:
> 
> Hi Hugh,
> 
> Nah, there's no kind of machine authentication. It passes along the machine 
> name purely for accounting information actually.
> With a regular RDP client, when you enable the gateway option, you have 2 
> options to authenticate to the gateway either smartcard (suppose I could go 
> this route if I can't get RADIUS working) or username/password with NTLM.
> This would cause me to have to enter 2 sets of credentials in a row.
> Once to authenticate and establish a tunnel to the proxy. And the second 
> credential screen that shows up is for the credentials to connect to the 
> remote computer.
> 
> You actually see the username that's sent for the authentication request 
> under the Service-Type attribute.
>> Attributes:
>>                Service-Type = Voice
>>                User-Name = "domain\username"
> 
> -----Original Message-----
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: Saturday, July 15, 2017 7:38 AM
> To: Schwarz, S. (ICT) <s.schw...@lumc.nl>
> Cc: radia...@open.com.au
> Subject: Re: [RADIATOR] Using RADIUS with RDS Gateway
> 
> 
> Hello Stephan -
> 
> What you show below does not look like a typical RADIUS authentication 
> request.
> 
> First of all it has a Service-Type = Voice, then it only has MS-Machine-Name 
> = “hostname.something”.
> 
> I am guessing this is some sort of preliminary host authentication, after 
> which there may be some user authentication.
> 
> hope that helps
> 
> regards
> 
> Hugh
> 
> 
>> On 15 Jul 2017, at 03:16, s.schw...@lumc.nl wrote:
>> 
>> Hi,
>> 
>> I was wondering if the following should/could work and if anyone has 
>> any experience setting it up. I spend some hours on it but haven’t 
>> managed to get it to work so far…
>> 
>> I have a  windows terminal server/remote desktop services gateway, which is 
>> a MS product for proxying RDP over a tunneled connection using TLS.
>> This is built on top of IIS/NPS. NPS is used for the authentication part.
>> Functionality wise, RDS GW provides exactly what I want, allowing a tunneled 
>> RDP connection over 443 to resources I define on the GW server per 
>> user/group.
>> The user will have to provide a username and password to create the tunnel 
>> to the RDS GW, however by default it uses local authentication (active 
>> directory). It’s possible to configure NPS to forward it’s authentication 
>> requests to a RADIUS server, so I figured if I do that I can use some other 
>> form of authentication for creating the tunnel like some form of OTP. 
>> Whether it be RSA, TOTP, HOTP or Yubikey and possibly other things I haven’t 
>> thought of.
>> 
>> However once I do this, in my RADIUS server I receive the following 
>> error once I try to authenticate. I figurd I’d test out LSA first, and 
>> once I have that working I’d work on getting OTP’s working
>> 
>> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
>> *** Received from 172.16.0.3 port 55428 ....
>> Code:       Access-Request
>> Identifier: 2
>> Authentic:  
>> <212><215><195><163><28><225><128><240><145>U[<219><239>BdV
>> Attributes:
>>                Service-Type = Voice
>>                User-Name = "domain\username"
>>                Called-Station-Id = "UserAuthType:PW"
>>                MS-Machine-Name = "hostname.something"
>>                MS-Network-Access-Server-Type = Terminal-Server-Gateway
>>                NAS-Port-Type = Virtual
>>                Proxy-State = 
>> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>> 
>> Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler 
>> 'Client-Identifier = From_NPS', Identifier 'Default'
>> Mon Jul 10 03:36:41 2017: DEBUG:  Deleting session for 
>> domain\username, 172.16.0.3, Mon Jul 10 03:36:41 2017: DEBUG: Handling with 
>> Radius::AuthLSA:
>> Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT, 
>> Authentication protocol Unknown not allowed by AuthenProto 
>> configuration parameter Mon Jul 10 03:36:41 2017: INFO: Access rejected for 
>> domain\username: Authentication protocol Unknown not allowed by AuthenProto 
>> configuration parameter Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
>> *** Sending to 172.16.0.3 port 55428 ....
>> Code:       Access-Reject
>> Identifier: 2
>> Authentic:  <168><196>1<151><190>*<174><132><177>*l<209>\NT~
>> Attributes:
>>                Reply-Message = "Request Denied"
>>                Proxy-State = 
>> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>> 
>> 
>> I tried the following handler for LSA auth:
>> <Handler Client-Identifier = From_NPS>
>>                Identifier Default
>>                <AuthBy LSA>
>>                                Domain domainname
>>                                UsernameMatchesWithoutRealm
>>                </AuthBy>
>>                AuthLog                               Logfile_Dev
>>                AcctLogFileName %L/Dev_detail_%Y-%m-%d.log </Handler>
>> 
>> Any pointers would be appreciated. 
>> It should be possible, since for example this guide shows how to do it with 
>> WikiD 
>> http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/.
>> But I rather use 1 product instead of various products to achieve the same 
>> result..
>> 
>> We do actually have Azure MFA which can be used for this, but I actually 
>> don’t want to use it for this scenario.
>> 
>> 
>> Kind regards,
>> 
>> Stephan Schwarz
>> Senior Security Administrator | Leiden University Medical Center
>> 
>> <image001.png>
>> Tel.: +31 (0)71-526-1822
>> Email: s.schw...@lumc.nl
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator@lists.open.com.au
>> http://lists.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, 
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. 
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc. 
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.

_______________________________________________
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator

Reply via email to