For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

evegter_163099's avatar
evegter_163099
Icon for Nimbostratus rankNimbostratus
Jul 08, 2014

Radius authentication on Publication of Windows 2012 RDS Webaccess and RDS Gateway

Hello,

 

we are looking for a solution to implement RDS Gateway and RDS Webaccess with a requirement for Radius OTP two-factor authentication. I see that the F5 LTM has support for publishing the reverse proxy virtual server for the RDS RPC traffic so I am wondering if that also provides support for Radius OTP 2FA. Anyone done this before?

 

Many thanks, Eric

 

BIG-IP Access Policy Manager (APM)
deployment
design
management
security

4 Replies

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Jul 08, 2014

    Yes, it depends on how you want it setup (architecture). In many cases, you log into the APM with SSO to the RDS server and you have the two-factor authentication within the RDS server itself.

     

    In other cases, you have the two-factor authentication at the APM login level and do the radius authentication up front. It depends on how you set it up.

     

  • evegter_163099's avatar
    evegter_163099
    Icon for Nimbostratus rankNimbostratus
    Jul 08, 2014

    Hi Mike, thanks for the reply. When you say "the two-factor authentication within the RDS server itself", how exactly do you mean that? What kind of implementation of 2FA does RDS provide? I know the RDS Gateway server uses NPS as authentication and authorization layer and that can also redirect login to Radius with AD-user mapping etc but I have not implemented anything like that yet and wonder how the integration and SSO with WebAccess would be and when/how exactly the user would get prompted for the OTP key in that scenario. So I was hoping an enterprise Reverse Proxy/Loadbalancer like F5 would provide this kind of AD+OTP 2FA feature out of the box. The document "f5-microsoft-remote-desktop-services-dg.pdf" doesn't mention it so a multi-scenario document would be nice ;)

     

    Your remark "In other cases, you have the two-factor authentication at the APM login level and do the radius authentication up front" basically sounds like what we have in mind. Do you know of any documentation that describes this?

     

    Many thanks, Eric

     

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Jul 09, 2014

    In the first scenario, you install the two-factor software on the RDS server. It will send a call to the device or database used for two-factor authentication. In this case, similar to phone factor or using the azure cloud.

     

    In the second case, you will setup APM login: Username, Password (AD usually) and Two-factor authentication token. You're basically authenticating at the APM level rather than on the RDS server.

     

    I like the RSA token guide: http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/6.html

     

    http://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm_authentication_config_11_0_0/_jcr_content/pdfAttach/download/file.res/apm_authentication_config_11_0_0.pdf

     

    • evegter_163099's avatar
      evegter_163099
      Icon for Nimbostratus rankNimbostratus
      Jul 10, 2014
      thanks! I'll read the docs and see where that takes me. The phonefactor solution (now MS) that uses the Azure MFA server as Radius proxy in combination with the RDS Gateway is basically what we'd like but not accepted because of availability/coverage reasons for SMS like token exchange by the customer so we need to get the solution to work with hardware tokens.