Remote Desktop Gateway - Configuring NPS/Radius to forward requests to Okta
I was wondering if it was possible to forward authentication requests coming through Remote Desktop Gateway to Okta, so users accessing from the internet into remote applications can have MFA enforced?
Is there any update on this topic? It looks like RD gateway server only supports Microsoft NPS server as Radius server. How to configure Okta Radius agent server as the proxy between RD gateway and NPS?
@Drew - this is not the correct solution. You cannot just install the Okta RADIUS client and done. As Scott Li stated, we are looking for a work around on the NPS issue so that we can have the RDP Gatwaway call the Okta RADIUS client/server and then enforce MFA based on a defined Okta policy for remote access through the gateway.
Currently DuoSecurity provides a Duo AUthentication for RD Gateway client. I would like to see Okta provide this too! If you want to play in the MFA space, you need to compete with Duo, and frankly Okta already has all the parts to assemble this solution for its customers. So please do it!
Very aware of the Liebsoft partnership and was turned to them by our sales rep. My issue is this, Okta needs to provide this! Duo is moving in on Okta space and if they have and soon offer SSO, why use Okta?
Our team was able to successfully forward RADIUS requests from an RD Gateway to Okta RADIUS agent. However, the agent does not even attempt to accept the request (no entries in Okta Radius log). This seems to be due to the AVP being sent by the RD Gateway highlighted below. Since the agent does not handle the request authentication eventually times out. This was tried many different options to alter the attributes being sent to no avail. A case was opened with Okta and their only suggestion was to engage their professional services. Fail!
When you implement a radius server for RDS Web you hate to check "allow clients to connect without negotiating an authentication method", Okta radius only supports PAP. Until they implement the functionnality this can't be configured.