Push Notification Authentication for RADIUS 2FA request (RD Gateway)?

We’re setting up 2FA for our RD Gateway and trying to configure RADIUS and tokens at the moment. Is it possible to setup a Push token for a RADIUS 2FA login request?

The scenario is:

  1. User wants to login to system via Remote Desktop Gateway
  2. To login, user is prompted with Push Notification using privacyidea app
  3. User taps approve and is granted access

Thanks for any help!

Any help answering this question would be greatly appreciated - we’re not looking for confirguration help, just want to know if it’s possible.

RD Gateway is difficult. It might not work to your expectations. Even with “normal” OTP.
Especially with PUSH you need an additional component that triggers the challenge (PUSH notification) with privacyIDEA and checks, if the challenge was answered.

To my knowledge 2FA at the gateway level does not work out smoothly. But this is a vague and very old experience.
You might however take a look at our “privacyIDEA Credential Provider”, that does the 2FA on the desktop level (But also in this case PUSH is not supported, yet).

Short answer: Currently nothing out of the box.

Thank you! Very much appreciated. We’re still looking into how we might do this eventually.

As a side note, if you already have RADIUS working with other tokens, there are two ways to get push tokens working as well. Note: neither of these will provide any feedback to the user beyond the request for the users PIN/tokencode. It will appear as if the authentication request has stalled until the user confirms on their device.

On the current release, you can set the push_wait within a policy to be the same length as your RADIUS request timeout (we have ours set to 60 seconds). This gives the user 60 seconds to respond to the push token before it times out.

If that option is not available in the version you are running, I have written an update to the RADIUS plugin that will poll the privacyIDEA installation while the push is in process. The pull request on the github page has this modification.

We have had success in our environment using both methods with our push tokens. But RADIUS must be working for at least software/hardware tokens first.

1 Like

Thanks @droo for this comment, this is helpful. As we get deeper into this configuration, I may reach out again.