We’re setting up 2FA for our RD Gateway and trying to configure RADIUS and tokens at the moment. Is it possible to setup a Push token for a RADIUS 2FA login request?
The scenario is:
User wants to login to system via Remote Desktop Gateway
To login, user is prompted with Push Notification using privacyidea app
RD Gateway is difficult. It might not work to your expectations. Even with “normal” OTP.
Especially with PUSH you need an additional component that triggers the challenge (PUSH notification) with privacyIDEA and checks, if the challenge was answered.
To my knowledge 2FA at the gateway level does not work out smoothly. But this is a vague and very old experience.
You might however take a look at our “privacyIDEA Credential Provider”, that does the 2FA on the desktop level (But also in this case PUSH is not supported, yet).
As a side note, if you already have RADIUS working with other tokens, there are two ways to get push tokens working as well. Note: neither of these will provide any feedback to the user beyond the request for the users PIN/tokencode. It will appear as if the authentication request has stalled until the user confirms on their device.
On the current release, you can set the push_wait within a policy to be the same length as your RADIUS request timeout (we have ours set to 60 seconds). This gives the user 60 seconds to respond to the push token before it times out.
If that option is not available in the version you are running, I have written an update to the RADIUS plugin that will poll the privacyIDEA installation while the push is in process. The pull request on the github page has this modification.
We have had success in our environment using both methods with our push tokens. But RADIUS must be working for at least software/hardware tokens first.
Hi, i’m testing around with the Remote Desktop Gateway with local NPS and can’t get it running. I always get the Error “ERR905: Missing Parameter: ‘pass’” on the freeradius if i try to connect with Push-Token over RDGate.
The freeradius runs well with TOTP.
Which config do you use on Microsoft Site?
I can’t find a solution to set “pass” in the NPS. I thing i’m making here somthing wrong.
Additional to the provided NetKnights NPS integration guide, you have to change one setting in the freeradius configuration.
First check your plugin version (File privacyidea_radius.pm)
We need the version with the ADD_EMTPY_PASS variable available. (added 2020-03-21)
If that is available - change the rlm_perl.ini file and add
ADD_EMPTY_PASS = true
to the default section.
After that you have to change your Push Authentication Policy with “otppin:none” - which is absolut ok because NPS will handle the credential validation.
And if not already done - you need to increase the Timeout values, else you will only have about 3 seconds to send and confirm the push notification.
NPS - Remote Radius Group / FreeRadius Server - Edit / Load Balancing - Increase to 30 or more seconds
change Timeout in rlm_perl.ini to (UpperValue-1) seconds
Change Authentication Push Policy - push_wait to (UpperValue-1) seconds
Now RDP Push Auth should work as excpected.
Btw in case you use this with a lot of users you will need to adapt the webserver config because each waiting radius request will represent a open http connection.
Hi!
I’m also trying to make push auth work with RD Gateway. I think I have done all needed configuration from “iOS privacyIDEA Push Token HOWTO” and also all additional steps from previous H3GE’s post.
I can see that freeradius says:
Reply-Message = “Please confirm the authentication on your mobile device!”
And gives no errors.
But it does not wait for push confirmation (it immediately goes again to “Ready to process requests”) and no push notification comes to ios device.
If I create additional token with pin for a user and go to “https://myip/validate/check?user=username&pass=1234” it also says “Please confirm the authentication on your mobile device!”, but again - no push on my ios device.
I dot see any errors or any information about push in privacyidea log.
Please, can somebody give me the right direction to find a problem?
iOS Push service is a bit unreliable, how we are using it. Apple designed its push service to run with on central cloud service per App.
We experience, that Apple devices sometimes do not receive push notificatins. This has nothing to do with RG gateway.
Given, your configuration is correct, sometimes it can help to delete the Push token from the phone and re-enroll a new one.
Sometimes this does not help.
Great news! I think it would be a good solution. It’s not a problem for a user to open an app manually and confirm request.
Yes, I have configured push wait to 30 seconds.
But I have found a problem. I have forgot to select realm and resolver in Policy parameters, so it seems my policy just wasn’t applied.
So my push notifications with RD Gateway work now! Even on ios!
Thanks for your help!
Hello again!
PrivacyIDEA still works pretty good for me with RD Gateway and ios devices. But I’ve got several new questions.
It seems “push_wait” parameter in pushauth policy has no effect. I did set it to 30 seconds, but radius server waits only for 10 sec for user’s confirmation. I had to set TIMEOUT=30 parameter in rlm_perl.ini file and now it works as expected and users has 30 seconds to confirm push. It that okay?
Also I have noticed that if I enroll one more push token to the same user for another device, a user has to confirm push notifications on both devices for successful authentication. Push notifications come to both devices. If he confirms only on one of devices - authentication does not work.
There are several messages in radius logs. One of them ends with “privacyIDEA access granted”. But another one is perl-privacyidea: ERROR: Internal failure creating pair &reply:privacyIDEA-Serial += $RAD_REPLY{'privacyIDEA-Serial'} -> 'undef'
Is it an expected behavior?
Yes. You have to be aware of all timeout is the authentication stack.
Are these really two devices? Or are the devices linked to the same Cloud account? Then they probably have the same firebase_token. So for the push service, this is one device.
This is fine. You can unconfigure this is rlm_perl.ini.
Yes. Here is what i did. I have enrolled first push token, added it to PI app on ios device. Checked it, it works fine, i can successfully authenticate. After that I have enrolled a second push token for the same username and added it to PI app on android device. After that when I try to authenticate I get push notifications on both devices (ios and android) and it seems that I have to Allow both of them to authenticate successfully. If I Allow only one notification I cannot authenticate.
Actually that is not a big problem. I do not think that I will really need two devices (and tokens) or more for one user. Just decided to inform you about that behavior, just in case
Thanks!
“Yes. Here is what i did. I have enrolled first push token, added it to PI app on ios device. Checked it, it works fine, i can successfully authenticate. After that I have enrolled a second push token for the same username and added it to PI app on android device. After that when I try to authenticate I get push notifications on both devices (ios and android) and it seems that I have to Allow both of them to authenticate successfully. If I Allow only one notification I cannot authenticate.”
This could actually be a quite usefull feature for extra security. There might be situations where you want two persons to confirm the login. Let’s say you have a security consernet company. They will let external consultants log in, but to as an extra security measure they wish a internal manager to confirm the login.