Forum Discussion
NimbostratusF5 Remote Desktop Gateway and MS Azure Multifactor Authentication
With Microsofts own Remote Desktop Gateway (2012r2) it is now possible to require 2-factor authentication for RDP clients.
It is done by configuring the RD Gateway to use a NPS/Radius server which in turn uses MS Azure Multifactor Authentication server (MFA) to add the second factor.
The configuration is described here:
http://www.rdsgurus.com/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
2-factor authentication for RDP clients is a long-awaited feature, and I hoped and believed that it was possible to make this work also with the F5 RD Gateway.
After hours and hours trying I have realized that its not straight forward, if possible at all.
The challenge/problem seems to be that the only place to put in a NPS/Radius server in the F5 solution is in the access profile (VPE), but if you do the NPS/Radius responds with access_reject (unknown username or password).
I suspect this is because the access profile doesn't really participate in the NTLM authentication (challenge/response), that part is handled before the access profile - in the vdi profile.
So the access profile doesn't have any valid "password" to send to the NPS/Radius server.
I guess this might have worked if Radius was an option in the vdi profile, but the only option there is a NTLM Auth Configuration (Big IP Machine Account in a Windows domain).
My questions are:
- Has anyone had better luck than me setting up F5 RD Gateway with Azure MFA?
- Is it possible, via tmsh maybe, to make a vdi profile use Radius instead of a NTLM Auth Configuration?
3 Replies
gurulee_340176Altostratus
We use RDS with our on-premise Azure MFA and not through F5 due to limitation the F5 introduces with RDS/RDP. However, we are in the process of testing F5 with MFA for our Citrix environment.
- Walter_Kacynski
Cirrostratus
You can use a RADIUS Agent to connect with an on-prem Azure MFA server for Two-Factor checks.
