Skip to main content

Microsoft Remote Desktop Gateway - RADIUS integration

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps to authenticate users through more than one required security and validation procedure that only you know or have access to.

RADIUS is a protocol commonly used to authenticate, authorize, and account for user access and actions.

Acceptto offers a simple solution for adding MFA to Remote Desktop Connection via its Radius solution. This step by step integration instruction illustrates how to configure Microsoft Remote Desktop Gateway and Acceptto RADIUS MFA authentication solution.

Prerequisites

  • Acceptto RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Acceptto RADIUS deployment guide.

  • A domain-joined Microsoft Windows Server with installed RDG and NPS roles.

Acceptto RADIUS Agent configuration

To integrate Acceptto with your RDG, you will need to install an Acceptto RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your RDG, check with LDAP server to perform primary authentication, and then contact Acceptto cloud service for secondary authentication.

For setting up Acceptto RADIUS Agent, refer to the Acceptto RADIUS deployment guide. After the setup, add these two additional variables to radius-agent-config.env file to enable support for Microsoft Remote Desktop Gateway:

  ARA_TRIM_NETBIOS_DOMAIN=true
  
  ARA_ALLOW_PASSWORDLESS=true

RDG configuration

  1. Login to the Windows Server that configured and installed NPS and RDG roles on it with an administrative user.

  2. Open the Network Policy Server manager.

  3. Expand RADIUS Clients and Servers in the left sidebar

  4. Select Remote RADIUS Server

  5. Right click on TS GATEWAY SERVER GROUP and click on Add.

    ms-rdg_ts-gateway.png

  6. Enter the IP address of Acceptto Radius Server and navigate to Authentication/Accounting tab and enter shared secret of Acceptto Radius that configured earlier.

    ms-rdg_add-radius-server.png

  7. Go to Load Balancing tab and set the Number of seconds without response before request is considered drop and Number of seconds between requests when server is identified as unavailable options on 120 and click OK.

    ms-rdg_load-balancing.png

  8. Right click on Radius Clients section and add RDP machines as radius clients to the NPS configuration.

    ms-rdg_radius-clients.png

  9. Navigate to Policies section and click on Connection Request Polices.

    ms-rdg_policies.png

  10. Right click on TS Gateway Authentication Policy and navigate to Settings tab, select Authentication and set authentication on Forward requests to the following remote RADIUS server group for authentication and click OK.

    ms-rdg_ts-gateway-setup.png

  11. Go to Network Polices and double click on your RDG CAP policy.

    ms-rdg_network-policies.png

  12. Click on the Conditions tab, click on Add and to add Called Station ID option and enter UserAuthType:(PW) and click OK.

    ms-rdg_conditions.png

  13. Click OK to save RDG CAP.

    ms-rdg_rdg-cap.png

  14. Open the RD Gateway Manager from your Start Menu.

  15. Right click on your RD server in the left sidebar and click on Properties.

  16. Select the RD CAP Store tab.

  17. Select the Central server running NPS radio button and click OK.

    ms-rdg_lab-rdg-properties.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section: