Hello Stephan -
Yes, but there is no sort of password in the request, so Radiator rejects it.
This:
Called-Station-Id = "UserAuthType:PW”
might mean something, but you will need to find out what should happen with it.
regards
Hugh
> On 15 Jul 2017, at 21:46, <[email protected]> <[email protected]> wrote:
>
> Hi Hugh,
>
> Nah, there's no kind of machine authentication. It passes along the machine
> name purely for accounting information actually.
> With a regular RDP client, when you enable the gateway option, you have 2
> options to authenticate to the gateway either smartcard (suppose I could go
> this route if I can't get RADIUS working) or username/password with NTLM.
> This would cause me to have to enter 2 sets of credentials in a row.
> Once to authenticate and establish a tunnel to the proxy. And the second
> credential screen that shows up is for the credentials to connect to the
> remote computer.
>
> You actually see the username that's sent for the authentication request
> under the Service-Type attribute.
>> Attributes:
>> Service-Type = Voice
>> User-Name = "domain\username"
>
> -----Original Message-----
> From: Hugh Irvine [mailto:[email protected]]
> Sent: Saturday, July 15, 2017 7:38 AM
> To: Schwarz, S. (ICT) <[email protected]>
> Cc: [email protected]
> Subject: Re: [RADIATOR] Using RADIUS with RDS Gateway
>
>
> Hello Stephan -
>
> What you show below does not look like a typical RADIUS authentication
> request.
>
> First of all it has a Service-Type = Voice, then it only has MS-Machine-Name
> = “hostname.something”.
>
> I am guessing this is some sort of preliminary host authentication, after
> which there may be some user authentication.
>
> hope that helps
>
> regards
>
> Hugh
>
>
>> On 15 Jul 2017, at 03:16, [email protected] wrote:
>>
>> Hi,
>>
>> I was wondering if the following should/could work and if anyone has
>> any experience setting it up. I spend some hours on it but haven’t
>> managed to get it to work so far…
>>
>> I have a windows terminal server/remote desktop services gateway, which is
>> a MS product for proxying RDP over a tunneled connection using TLS.
>> This is built on top of IIS/NPS. NPS is used for the authentication part.
>> Functionality wise, RDS GW provides exactly what I want, allowing a tunneled
>> RDP connection over 443 to resources I define on the GW server per
>> user/group.
>> The user will have to provide a username and password to create the tunnel
>> to the RDS GW, however by default it uses local authentication (active
>> directory). It’s possible to configure NPS to forward it’s authentication
>> requests to a RADIUS server, so I figured if I do that I can use some other
>> form of authentication for creating the tunnel like some form of OTP.
>> Whether it be RSA, TOTP, HOTP or Yubikey and possibly other things I haven’t
>> thought of.
>>
>> However once I do this, in my RADIUS server I receive the following
>> error once I try to authenticate. I figurd I’d test out LSA first, and
>> once I have that working I’d work on getting OTP’s working
>>
>> Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
>> *** Received from 172.16.0.3 port 55428 ....
>> Code: Access-Request
>> Identifier: 2
>> Authentic:
>> <212><215><195><163><28><225><128><240><145>U[<219><239>BdV
>> Attributes:
>> Service-Type = Voice
>> User-Name = "domain\username"
>> Called-Station-Id = "UserAuthType:PW"
>> MS-Machine-Name = "hostname.something"
>> MS-Network-Access-Server-Type = Terminal-Server-Gateway
>> NAS-Port-Type = Virtual
>> Proxy-State =
>> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>>
>> Mon Jul 10 03:36:41 2017: DEBUG: Handling request with Handler
>> 'Client-Identifier = From_NPS', Identifier 'Default'
>> Mon Jul 10 03:36:41 2017: DEBUG: Deleting session for
>> domain\username, 172.16.0.3, Mon Jul 10 03:36:41 2017: DEBUG: Handling with
>> Radius::AuthLSA:
>> Mon Jul 10 03:36:41 2017: DEBUG: AuthBy LSA result: REJECT,
>> Authentication protocol Unknown not allowed by AuthenProto
>> configuration parameter Mon Jul 10 03:36:41 2017: INFO: Access rejected for
>> domain\username: Authentication protocol Unknown not allowed by AuthenProto
>> configuration parameter Mon Jul 10 03:36:41 2017: DEBUG: Packet dump:
>> *** Sending to 172.16.0.3 port 55428 ....
>> Code: Access-Reject
>> Identifier: 2
>> Authentic: <168><196>1<151><190>*<174><132><177>*l<209>\NT~
>> Attributes:
>> Reply-Message = "Request Denied"
>> Proxy-State =
>> <254><128><0><0><0><0><0><0><228><28>lj<193>l@<170><0><0><0><2>
>>
>>
>> I tried the following handler for LSA auth:
>> <Handler Client-Identifier = From_NPS>
>> Identifier Default
>> <AuthBy LSA>
>> Domain domainname
>> UsernameMatchesWithoutRealm
>> </AuthBy>
>> AuthLog Logfile_Dev
>> AcctLogFileName %L/Dev_detail_%Y-%m-%d.log </Handler>
>>
>> Any pointers would be appreciated.
>> It should be possible, since for example this guide shows how to do it with
>> WikiD
>> http://www.techworld.com/tutorial/security/configuring-nps-2012-for-two-factor-authentication-3223170/.
>> But I rather use 1 product instead of various products to achieve the same
>> result..
>>
>> We do actually have Azure MFA which can be used for this, but I actually
>> don’t want to use it for this scenario.
>>
>>
>> Kind regards,
>>
>> Stephan Schwarz
>> Senior Security Administrator | Leiden University Medical Center
>>
>> <image001.png>
>> Tel.: +31 (0)71-526-1822
>> Email: [email protected]
>>
>>
>> _______________________________________________
>> radiator mailing list
>> [email protected]
>> http://lists.open.com.au/mailman/listinfo/radiator
>
>
> --
>
> Hugh Irvine
> [email protected]
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS,
> PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc.
> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
--
Hugh Irvine
[email protected]
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://lists.open.com.au/mailman/listinfo/radiator
