iuwd4 (iuwd4) asked a question.
Hi All,
After many years of trying to find a solution to have Okta MFA Push Authentication work on a Microsoft Remote Desktop Gateway environment, I've successfully implemented this using code from Github linked in this Tutorial.
All credits of the code go to the Code Author! This is simply a guide on how to implement this in your environment.
A few things to note before we head down this path:
1) This will only allow for PUSH authentication on the RDG Gateway. I know that RDG Gateway Web Apps portal supports SSO/SAML, however, once the user has access to the RDP file of the application, MFA no longer is required as they can just launch this from their desktop and connect without authentication. In my opinion, this is a FLAW from microsoft.
2) This is somewhat of what Azure or Duo integration for RDG Gateway does, however, as the Remote Desktop client doesn't have any inputs, it doesn't support Call-in or SMS as there is no input fields for the application to submit back data.
Let's begin!
Github code is found here: https://github.com/bdalpe/RADIUS-to-Okta-MFA
Download the ZIP and save it to a Linux server/system. (You can do this in Docker but I haven't done it). You will need to open ports 1812-1813-1814 inbound and outbound, and 8080, 80,443 and 8443 outbound. (Or you can be lazy and disable the firewall)
Now in terminal, change to the directory of the zip file, extract it, and work in that directory.
Edit the file run.sh using gedit or vi or your favorite flavor of linux editor.
*!/bin/sh
export OKTA_TENANT=yourtenant.okta.com -> Simple, put your okta tenant
export OKTA_API_KEY=XXXXXX -> In Okta, Navigate to Security > Api > Generate Token. Put that value in here.
export RADIUS_SECRET=****** -> Put whatever complex thing you wish here, this is just used to communicate to your NPS server on the RDG Gateway server.
p=$(which python) -> Change this to p=$(which python3) because you should be using python3 in linux in 2020.
$p server.py
Save this file. This is all you have to do.
Back in the command line, run the following command.
pip3 install -r requirements.txt
You will see stuff installing, that is a good thing. If you don't, then install pip3 with yum or apt-get, whatever linux you are using.
Once this is completed installing, just run the command /bin/sh run.sh and leave the terminal open. It will be blank, and you will see nothing.
RDP to your RDG Gateway server, find "Remote Radius Server"
Right click and Create New. Call it OktaRDG or something similar. Add the Linux server's IP Address where you put the script and hit Apply.
Click the OktaRDG object that you just created and click Edit.
Navigate to the second tab and where I pointed the arrows, put in the SAME secret which you put in the run.sh configuration file in the step above.
Under Load Balancing, Change the settings so they look exactly like the ones in the screenshot. This makes it so that a user has 30 seconds to hit the Yes its Me! push on their mobile device before the server drops the attempt.
Hit Okay.
Now, to enable this policy on the Microsoft Remote Desktop Gateway, you will have to navigate to "Connection Request Policies" on the NPS server.
Create a new one by right clicking and pressing "new"
For General, Makes sure you choose the remote desktop gateway:
(PLEASE DISABLE THE POLICY FOR NOW UNLESS ITS ON A TEST SERVER)
For conditions, put in NAS Port type as VPN which will target ALL Rdp connections. (Or customize them as you wish)
Under settings, leave everything blank except for the following:
Forward your requests to the Remote Radius Sever group which you created: (I called mine Okta-RDG)
Under Specify a Realm Name, you must do the following:
Change the Attribute field to User-name, and then MAP each AD-user to Okta account that you need to authenticate.
For example, see transforms below:
The employee's name is John Snow. His username is jsnow.
The user normally logs into the gateway with domainname\jsnow.
In the mapping, you will put in Find:jsnow - Replace With: john.snow@domainname.com
In my example, he logs in with company\jsnow, and his Okta login is john.snow@company.com, so I have made the mapping.
This will work for any mapping! If your users log in with domainname\john.snow, you will Find:john.show - Replace With: john.snow@domainname.com
You can also map random domain accounts to any okta token. Let's say you have a vendor service account, called domainname\vendor3511. You can make a rule to target an okta account for that vendor with the email of cool.vendor@company.com
You can create a rule of Find:vendor3511 - Replace with: cool.vendor@company.com
VERY IMPORTANT: Keep this rule disabled until FULLY TESTED. Once you enable the rule and make it the top priority, ANY connections to this Remote Desktop Gateway server will be forced to use multifactor. They will be re-authenticated ANY time they try to RDP using an RDP file that has this gateway server and the policy enabled.
Please let me know if you have any questions.
Hi Paulo
Thank you very much for posting this.
This will help a lot of people.
Hey guys!! I hope that everyone is well in these "strange" times!
On the second note: has anybody experienced very-very delayed push notification from Okta infrastructure, winch comes way later and RDG session request/connection is already expired? At the same time regular Okta portal push notifications are coming just fine...
Hi Vitali, the only time I've experienced this is when I didn't have the firewall disabled on the Linux box talking to the RADIUS server.
Thanks a lot Paulo for creating and sharing this solution!!
Hmm... I think FW on our Ubuntu 1804 is disabled, but I'll double check this tomorrow. Any other thoughts?
Paulo, BTW, have you though about of using Okta RADIUS App (https://help.okta.com/en/prod/Content/Topics/Security/Okta_Radius_App.htm) and configure RADIUS server on the same Windows box that running RDG (as Microsoft suggests for Azure MLA (https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-rdg), instead of using external Linux based RADIUS server? Even though it is not 100% proven, but it seems that it just may work...
Hi Vitali, a few things. I don't really have any other thoughts other than maybe have the Okta app open when it does the push. I haven't had any issues with delay, but honestly I know that the linux server has to have a good routing path to and from the radius server, and the internet for the Push to work good.
As for using the RADIUS client, yes I have tried this before and it doesn't work. I think a few clients used professional services, however I am not an Okta employee so I do not know
Sorry to bump this up, but really was hoping someone could help. I set all of this up, and it does work if I create the mapping rule, but it's not really realistic to create a mapping rule for everyone. Our Okta expects a User.Last@domain.com but RDG is feeding domain\ulast. There is no way to extract the username from the incoming string, as it's just the first letter of the username. If there anything I can do for the incoming string to be the UPN instead of SAN? I even looked a bit at the code to see if we can somehow feed the SAN to Okta and it would reply properly, but don't have the coding skills to figure out what is going on. This is very useful and so close to getting it working, but this manual name mapping is a show stopper 😞
Not sure if you found the answer, but if you look at the developers github, he added the feature "Using samAccountName to Find a User" which should work for you.
https://github.com/bdalpe/RADIUS-to-Okta-MFA#using-samaccountname-to-find-a-user