You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The RD Gateway uses NPS to send the RADIUS request to Azure Multi-Factor Authentication. To configure NPS, first you change the timeout settings to prevent the RD Gateway from timing out before the two-step verification has completed. Then, you update NPS to receive RADIUS authentications from your MFA Server. Use the following procedure to configure NPS: 

Modify the timeout policy

    1. In NPS, open the RADIUS Clients and Server menu in the left column and select Remote RADIUS Server Groups.
    2. Select the TS GATEWAY SERVER GROUP.
    3. Go to the Load Balancing tab.
    4. Change both the Number of seconds without response before request is considered dropped and the Number of seconds between requests when server is identified as unavailable to between 30 and 60 seconds. (If you find that the server still times out during authentication, you can come back here and increase the number of seconds.)
    5. Go to the Authentication/Account tab and check that the RADIUS ports specified match the ports that the Multi-Factor Authentication Server is listening on.

 

Prepare NPS to receive authentications from the MFA Server

  1. Right-click RADIUS Clients under RADIUS Clients and Servers in the left column and select New.
  2. Add the Azure Multi-Factor Authentication Server as a RADIUS client. Choose a Friendly name and specify a shared secret.
  3. Open the Policies menu in the left column and select Connection Request Policies. You should see a policy called TS GATEWAY AUTHORIZATION POLICY that was created when RD Gateway was configured. This policy forwards RADIUS requests to the Multi-Factor Authentication Server.
  4. Right-click TS GATEWAY AUTHORIZATION POLICY and select Duplicate Policy.
  5. Open the new policy and go to the Conditions tab.
  6. Add a condition that matches the Client Friendly Name with the Friendly name set in step 2 for the Azure Multi-Factor Authentication Server RADIUS client.
  7. Go to the Settings tab and select Authentication.
  8. Change the Authentication Provider to Authenticate requests on this server. This policy ensures that when NPS receives a RADIUS request from the Azure MFA Server, the authentication occurs locally instead of sending a RADIUS request back to the Azure Multi-Factor Authentication Server, which would result in a loop condition.
  9. To prevent a loop condition, make sure that the new policy is ordered ABOVE the original policy in the Connection Request Policies pane.
  • No labels