Okta MFA Push Authentication on Microsoft Remote Desktop Gateway
I've successfully implemented this using code from Github linked in this Tutorial.
All credits of the code go to the Code Author! This is simply a guide on how to implement this in your environment.
A few things to note before we head down this path:
1) This will only allow for PUSH authentication on the RDG Gateway. I know that RDG Gateway Web Apps portal supports SSO/SAML, however, once the user has access to the RDP file of the application, MFA no longer is required as they can just launch this from their desktop and connect without authentication. In my opinion, this is a FLAW from microsoft.
2) This is somewhat of what Azure or Duo integration for RDG Gateway does, however, as the Remote Desktop client doesn't have any inputs, it doesn't support Call-in or SMS as there is no input fields for the application to submit back data.
Let's begin!
Github code is found here: https://github.com/bdalpe/RADIUS-to-Okta-MFA
Download the ZIP and save it to a Linux server/system. (You can do this in Docker but I haven't done it). You will need to open ports 1812-1813-1814 inbound and outbound, and 8080, 80,443 and 8443 outbound. (Or you can be lazy and disable the firewall)
Now in terminal, change to the directory of the zip file, extract it, and work in that directory.
*!/bin/sh
export OKTA_API_KEY=XXXXXX -> In Okta, Navigate to Security > Api > Generate Token. Put that value in here.
export RADIUS_SECRET=****** -> Put whatever complex thing you wish here, this is just used to communicate to your NPS server on the RDG Gateway server.
p=$(which python) -> Change this to p=$(which python3) because you should be using python3 in linux in 2020.
$p server.py
Save this file. This is all you have to do.
Back in the command line, run the following command.
pip3 install -r requirements.txt
You will see stuff installing, that is a good thing. If you don't, then install pip3 with yum or apt-get, whatever linux you are using.
Once this is completed installing, just run the command /bin/sh run.sh and leave the terminal open. It will be blank, and you will see nothing.
RDP to your RDG Gateway server, find "Remote Radius Server"
Right click and Create New. Call it OktaRDG or something similar. Add the Linux server's IP Address where you put the script and hit Apply.
Click the OktaRDG object that you just created and click Edit.
Navigate to the second tab and where I pointed the arrows, put in the SAME secret which you put in the run.sh configuration file in the step above.
Under Load Balancing, Change the settings so they look exactly like the ones in the screenshot. This makes it so that a user has 30 seconds to hit the Yes its Me! push on their mobile device before the server drops the attempt.
Click Okay.
Now, to enable this policy on the Microsoft Remote Desktop Gateway, you will have to navigate to "Connection Request Policies" on the NPS server.
Create a new one by right clicking and pressing "new".
For General, Makes sure you choose the remote desktop gateway:
(PLEASE DISABLE THE POLICY FOR NOW UNLESS ITS ON A TEST SERVER)
For conditions, put in NAS Port type as VPN which will target ALL Rdp connections. (Or customize them as you wish)
Under settings, leave everything blank except for the following:
Forward your requests to the Remote Radius Sever group which you created: (I have called mine as Okta-RDG)
Under Specify a Realm Name, you must do the following:
Change the Attribute field to User-name, and then MAP each AD-user to Okta account that you need to authenticate.
For example, see transforms below:
The employee's name is John Snow. His username is jsnow.
The user normally logs into the gateway with domainname\jsnow.
In the mapping, you will put in Find:jsnow - Replace With: john.snow@domainname.com
In my example, he logs in with company\jsnow, and his Okta login is john.snow@company.com, so I have made the mapping.
This will work for any mapping! If your users log in with domainname\john.snow, you will Find:john.show - Replace With: john.snow@domainname.com
You can also map random domain accounts to any okta token. Let's say you have a vendor service account, called domainname\vendor3511. You can make a rule to target an okta account for that vendor with the email of cool.vendor@company.com
You can create a rule of Find:vendor3511 - Replace with: cool.vendor@company.com
VERY IMPORTANT: Keep this rule disabled until FULLY TESTED. Once you enable the rule and make it the top priority, ANY connections to this Remote Desktop Gateway server will be forced to use multifactor. They will be re-authenticated ANY time they try to RDP using an RDP file that has this gateway server and the policy enabled.
Please let me know if you have any questions.
