Skip to main content

Microsoft Remote Desktop Gateway RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

Arculix by SecureAuth offers a simple solution for adding MFA to Remote Desktop Connection via its RADIUS solution. This step by step integration instruction illustrates how to configure Microsoft Remote Desktop Gateway and Arculix RADIUS MFA authentication solution.

Prerequisites

  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • A domain-joined Microsoft Windows Server with installed RDG and NPS roles.

Arculix RADIUS Agent configuration

To integrate Arculix with your RDG, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your RDG, check with LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

For setting up Arculix RADIUS Agent, refer to the Arculix RADIUS Agent deployment guide. After the setup, add these two additional variables to radius-agent-config.env file to enable support for Microsoft Remote Desktop Gateway:

  ARA_TRIM_NETBIOS_DOMAIN=true
  
  ARA_ALLOW_PASSWORDLESS=true

RDG configuration

  1. As an administrator, log in to the Windows Server where you have configured and installed NPS and RDG roles.

  2. Open the Network Policy Server manager.

  3. Select RADIUS Clients and Servers in the left sidebar.

  4. Select Remote RADIUS Server.

  5. Right click on TS GATEWAY SERVER GROUP and click Add.

    ms-rdg_ts-gateway.png
  6. In the Address > Server section, enter the IP address of the Arculix RADIUS Server.

    ms-rdg_add-radius-server.png
  7. Go to the Authentication/Accounting tab and enter the shared secret of Arculix RADIUS configured in the previous section.

  8. Go to the Load Balancing tab and set the following:

    Number of seconds without response before request is considered dropped

    Set to 120.

    Number of seconds between requests when server is identified as unavailable

    Set to 120.

    ms-rdg_load-balancing.png
  9. Click OK.

  10. In the left hand navigation, right click on RADIUS Clients and click Add RDP machines as ARDIUSclients to the NPS configuration.

    ms-rdg_radius-clients.png
  11. Go to the Policies section and click Connection Request Polices.

    ms-rdg_policies.png
  12. Right click on TS Gateway Authentication Policy and go to the Settings tab.

  13. Select Authentication and select the option for Forward requests to the following remote RADIUS server group for authentication.

    ms-rdg_ts-gateway-setup.png
  14. Click OK.

  15. Go to Network Polices and double click on your RDG CAP policy.

    ms-rdg_network-policies.png
  16. Go to the Conditions tab and select Called Station ID. Click Add.

    ms-rdg_conditions.png
  17. Enter UserAuthType:(PW) and click OK.

  18. Click OK to save RDG CAP.

    ms-rdg_rdg-cap.png
  19. Open the RD Gateway Manager from your Start Menu.

  20. Right click on your RD server in the left sidebar and click Properties.

  21. Select the RD CAP Store tab.

  22. Select the option for Central server running NPS and click OK.

    ms-rdg_lab-rdg-properties.png

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.