Forum Discussion

ArildE's avatar
ArildE
Icon for Nimbostratus rankNimbostratus
Apr 24, 2017

F5 Remote Desktop Gateway and MS Azure Multifactor Authentication

With Microsofts own Remote Desktop Gateway (2012r2) it is now possible to require 2-factor authentication for RDP clients.

 

It is done by configuring the RD Gateway to use a NPS/Radius server which in turn uses MS Azure Multifactor Authentication server (MFA) to add the second factor.

 

The configuration is described here:

 

http://www.rdsgurus.com/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/

 

2-factor authentication for RDP clients is a long-awaited feature, and I hoped and believed that it was possible to make this work also with the F5 RD Gateway.

 

After hours and hours trying I have realized that its not straight forward, if possible at all.

 

The challenge/problem seems to be that the only place to put in a NPS/Radius server in the F5 solution is in the access profile (VPE), but if you do the NPS/Radius responds with access_reject (unknown username or password).

 

I suspect this is because the access profile doesn't really participate in the NTLM authentication (challenge/response), that part is handled before the access profile - in the vdi profile.

 

So the access profile doesn't have any valid "password" to send to the NPS/Radius server.

 

I guess this might have worked if Radius was an option in the vdi profile, but the only option there is a NTLM Auth Configuration (Big IP Machine Account in a Windows domain).

 

My questions are:

 

  • Has anyone had better luck than me setting up F5 RD Gateway with Azure MFA?
  • Is it possible, via tmsh maybe, to make a vdi profile use Radius instead of a NTLM Auth Configuration?