1

I have a PhoneFactor implementation that I love and cherish for VPN access. PhoneFactor provides us a RADIUS server that checks against an approved-users list and our Active Directory implementation, then calls to provide two-factor auth. I want to set up Remote Desktop Services in Windows Server 2008 R2 to have RDP authenticate against RADIUS rather than AD itself. Is there a way to accomplish this?

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
tacos_tacos_tacos
  • 3,220
  • 16
  • 58
  • 97

1 Answers1

3

The only way I can think to do this easily is by using a Remote Desktop Gateway. The call to the gateway can then go to a Network Policy Server (NPS) which can issue remote RADIUS calls. I don't know of any way to issue RADIUS requests for direct Remote Desktop Access since at that point you have already gottent to the client and the client follows its normal authentication route.

With the Remote Desktop Gateway you essentially setup a RDP over HTTPS environment and the server does the first pass authentication which can include RADIUS calls. It essentially offloads the authentication and authorization to either a local or central NPS box. You can easily configure the NPS box to look to your custom RADIUS box. Once past the server the client still has to authenticate with the client but the idea is that the server already did your two-factor authentication, the client is really just a formality at that point.

Hope that helps.

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • This is what I was kind of thinking, and that helps. My only concern about RDP-over-HTTPS would be performance... do you have any personal experience with perfomance issues when switching from RDP to the RDP Gateway-based service? – tacos_tacos_tacos Aug 13 '12 at 15:39
  • Nope. It depends on your overall connection, but since RDP traffic is typically already secure its about the same. There is some initial delay simplly because it has to hop through the gateway but none that I have found. Can't speak to adding a RADIUS box to the mix. We ran two load-balanced RDG boxes with two failover NPS boxes worked like a champ. On a single failure the traffic would all fail over within 20-30 seconds, only a brief lockup for the clients. – Brent Pabst Aug 13 '12 at 15:42
  • I forgot the term for this, but what do you think about a method where the user has to connect to some small web app that basically does RADIUS auth and then grants them the ability to connect to the public rdp server via a firewall rule change. – tacos_tacos_tacos Aug 13 '12 at 15:51
  • Not sure about the exact scenario, but typically its just referred to as SSO or Single Sign-On. It typically extends to multiple applications but you allow the user to sign-on once and as long as their session is alive they can access any corporate resources. Check out ADFS for that. – Brent Pabst Aug 13 '12 at 15:53