F5 Remote Desktop Gateway and MS Azure Multifactor Authentication

With Microsofts own Remote Desktop Gateway (2012r2) it is now possible to require 2-factor authentication for RDP clients.

 

It is done by configuring the RD Gateway to use a NPS/Radius server which in turn uses MS Azure Multifactor Authentication server (MFA) to add the second factor.

 

The configuration is described here:

 

http://www.rdsgurus.com/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/

 

2-factor authentication for RDP clients is a long-awaited feature, and I hoped and believed that it was possible to make this work also with the F5 RD Gateway.

 

After hours and hours trying I have realized that its not straight forward, if possible at all.

 

The challenge/problem seems to be that the only place to put in a NPS/Radius server in the F5 solution is in the access profile (VPE), but if you do the NPS/Radius responds with access_reject (unknown username or password).

 

I suspect this is because the access profile doesn't really participate in the NTLM authentication (challenge/response), that part is handled before the access profile - in the vdi profile.

 

So the access profile doesn't have any valid "password" to send to the NPS/Radius server.

 

I guess this might have worked if Radius was an option in the vdi profile, but the only option there is a NTLM Auth Configuration (Big IP Machine Account in a Windows domain).

 

My questions are:

 

• Has anyone had better luck than me setting up F5 RD Gateway with Azure MFA?
• Is it possible, via tmsh maybe, to make a vdi profile use Radius instead of a NTLM Auth Configuration?