I have a PhoneFactor implementation that I love and cherish for VPN access. PhoneFactor provides us a RADIUS server that checks against an approved-users list and our Active Directory implementation, then calls to provide two-factor auth. I want to set up Remote Desktop Services in Windows Server 2008 R2 to have RDP authenticate against RADIUS rather than AD itself. Is there a way to accomplish this?
Use RADIUS authentication with Remote Desktop Services
radiusrdpwindows-terminal-services
Related Topic
- Windows Server 2012 – How to Enable 2 Concurrent (+1 Console) Sessions
- Authentication via RADIUS : MSCHAPv2 Error 691
- Remote Desktop Services role – Do I need it in order to use MSTSC (RDP/RDC) in the domain
- Do GPO login scripts run in remote desktop / terminal services sessions
- Use Azure Active Directory as RADIUS server for VPN gateway
- Use CHAP with NPS and a Domain Controller in Core
Best Answer
The only way I can think to do this easily is by using a Remote Desktop Gateway. The call to the gateway can then go to a Network Policy Server (NPS) which can issue remote RADIUS calls. I don't know of any way to issue RADIUS requests for direct Remote Desktop Access since at that point you have already gottent to the client and the client follows its normal authentication route.
With the Remote Desktop Gateway you essentially setup a RDP over HTTPS environment and the server does the first pass authentication which can include RADIUS calls. It essentially offloads the authentication and authorization to either a local or central NPS box. You can easily configure the NPS box to look to your custom RADIUS box. Once past the server the client still has to authenticate with the client but the idea is that the server already did your two-factor authentication, the client is really just a formality at that point.
Hope that helps.