Microsoft Remote Desktop Gateway RADIUS integration

A Remote Desktop Gateway-based infrastructure relies on NPS to authenticate users. The following steps are necessary to configure NPS to use inWebo RADIUS servers to authenticate users with multi-factor authentication in addition to the traditional login / password.

Prerequisites

InWebo connections must respect the following format Domain\sAMAccountname.

Install the Remote Desktop Gateway infrastructure and required roles:
https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-deploy-infrastructure

How to configure inWebo to accept authentication requests issued by NPS

On the inWebo management console

  • go the “Secure Sites” tab

  • in the “Connectors” column click on “Add a connector of type” and select “Radius Push”

  • Fill in the “IP Address” field with the IP of the public interface of your device (or NAT address if behind a firewall).

  • Enter the “secret” configured previously on NPS.

  • Validate your connector configuration by pressing “Add” or Update” button.

Point to be noted: “Any configuration or modification made to your RADIUS connector will be applied at the start of the next hour”.

How to configure inWebo RADIUS servers on NPS

In NPS MMC, (Microsoft Management Console)

  • expand "NPS (local)> RADIUS Clients and Servers".

  • Select “Remote RADIUS Server Groups” and double click on “TS GATEWAY SERVER GROUP” to edit it.

In the “TS GATEWAY SERVER GROUP” Properties window,

  • Click on “Add” to configure the inWebo RADIUS servers.

In the “Add RADIUS Server” window

On the "Address" tab

  • provide the IP or DNS address of the inWebo RADIUS server

  • click on "Verify" to solve it.

In most of RADIUS client configurations, you will have to choose one of the following pair of RADIUS servers to have failover:

inWebo Radius server addresses :

(See https://inwebo.atlassian.net/wiki/spaces/DOCS/pages/2216886275/RADIUS+integration+and+redundancy for additional details and configuration)

On the "Authentication / Accounting" tab

  • Configure a “Shared secret”
    (That same secret should be also provided on the inWebo platform later)

In the “Load Balancing” tab, change the timeout as follows.

  • For “Push” RADIUS mode: Configure NPS to send authentication requests every 30 seconds and fallback to another server after 1 failed attempts.

(For more details: check the following documentation: https://inwebo.atlassian.net/wiki/spaces/DOCS/pages/2216886275/RADIUS+integration+and+redundancy )

Repeat both operations to add a secondary server. Setting the same Weight and Priority while implement a load balancing between both servers.

How to configure NPS policies to forward authentication requests to inWebo RADIUS servers

In NPS MMC,

  • navigate to "NPS (local)> Policies> Connection request policies"

  • Double click on "TS GATEWAY SERVER GROUP" to modify it.

  • In the “TS GATEWAY AUTHORIZATION POLICY" Properties

In the “Settings” tab,

  • go to the “Authentication” section

  • select “Forward requests to the following remote RADIUS server group for authentication”.

  • Make sure that “TS GATEWAY SERVER GROUP” is selected.