If you want to enable push authentication using RDS and NPS with our SP RADIUS Server system, this is how to do it.
RDS with SP Radius and push authentication in auto push mode
When you want to use RDS with NPS and the SurePassID (SP) RADIUS system to add MFA to the login process, you will need to follow these steps:
Set up the SP RADIUS server to check OTP only, allow push, and enable auto push. Make sure you have the 2024.2.9307.18882 (06-25-25) or later RADIUS server installed and running and are using the None - Only Authenticate OTP
In the Security Options page, enable the push function along with auto push and set the option to ignore the message authenticator attribute:
This configuration ensures that when a user logs into the RDS system, particularly when launching remote applications, a phishing resistant push notification will automatically be sent to their mobile app. The user will then have the option to approve or deny the connection.
To configure the NPS, you must create a remote RADIUS Server object that directs traffic to your SP RADIUS server, ensuring you include a shared secret for secure communication. Additionally, you will need to modify the configuration on the SP RADIUS Server to include a remote client entry for the server that is hosting the NPS. In this scenario, both the RDS and NPS are running on the same machine.
You can also create a Remote RADIUS Server without using a template by directly adding a new entry in the Remote RADIUS Server Groups section.
The above creates a Remote RADIUS Server template that will then use to create a Remote RADIUS Server entry under the Remote RADIUS Server Groups section as shown:
On the SP RADIUS Server's RADIUS Client White List, you should include an entry for the IP address and shared secret of the NPS server. This step is essential to ensure that the SP RADIUS Server recognizes and accepts authentication requests coming from the NPS.
In the NPS, you need to specify the name or IP address of the RDS system (RD Gateway) in the RADIUS Clients list. This configuration allows the RD Gateway to forward authentication requests to the NPS, which will then relay the requests to the SP RADIUS Server for processing.
In this configuration, we assigned a distinct name to the RDS Server, provided either its DNS name or IP address, and manually entered the shared secret (although templates can also be utilized for this purpose). Additionally, we designated the Vendor name as RADIUS Standard.
We then configured the TS Gateway Authorization Policy to direct authentication requests to the Remote RADIUS server:
It is important to recognize that the standard template remains largely unchanged, and any modifications should be approached with caution, as most settings are best left as is.
In this scenario, we utilized the Quick Start option to deploy the Remote Desktop Services (RDS) on a single Windows server, which included the Gateway, Broker, Licensing, and Session Host components all configured together.
To align with Microsoft’s recommendations, you must update the properties in the RD Gateway Manager, specifically within the RD CAP Store section, to designate a "central server running RDS." This adjustment directs the gateway to communicate with the NPS server effectively:
Provided that your RDS system is correctly configured to use the NPS for authentication, and the NPS is properly set up to communicate with the SP RADIUS Server as a remote RADIUS server with the appropriate settings, end users will be able to authenticate to the RDS system and receive a push notification for multi-factor authentication (MFA).
It is important to note that the example provided has been tested with the RD Web functionality. While the gateway authentication employs NTLM and does not incorporate multi-factor authentication (MFA), the access to the published remote applications and remote desktops will still be secured through RADIUS, thereby ensuring that MFA is applied during the authentication process.