locked
2 factor authentication for windows desktop login with RADIUS RRS feed

  • Question

  • Hi,

    We are trying to have MFA for windows desktop login with our existing secure identity solution.  but we can not understand if it is an achievable target or not. our solution accept radius request and send an OTP to mobile device. based on the response of the end user. it send response to target system ( windows machine in this scenario ). Architecture we have designed and windows desktop login steps with MFA is below. Our main question is "Is it possible to make this happen with windows systems" if yes, how should we configure windows os to make desktop login with radius ? 

    Our planned architecture : https://drive.google.com/file/d/1p9wT79aupVHIRGBGNgIU7SIHEf3Feury/view?usp=sharing

    Login Steps

    1-The end user enters his user name and password at the login prompt at windows device. ( I assume windows device is supported to RADIUS authentication )

    2. User name and password are forwarded to the radius using  a RADIUS request

    3. The end user’s password is verified against corporate directory server (e.g. LDAP or Active Directory)

    4. The login request is forwarded to the Server

    5. Server sends a “Trusted Message Sign” (TMS) approval request to the app (if necessary, App  is “woken up” using a push notification)

    6. If the end user approves the approval request, the response is sent back to Server

    7. Server answers to the RADIUS connector

    8. RADIUS server sends the RADIUS response back to the windows device

    9. Access to resource is granted 

    regards,

    Thursday, February 15, 2018 1:38 PM

All replies

  • Hi,
    It seems that you need to integrate RADIUS with Active Directory, if that is the case, you might need to install NPS service. Please check if the following articles are helpful:
    Plan NPS as a RADIUS server
    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-server
    Setup NPS for RADIUS authentication in Active Directory
    https://nolabnoparty.com/en/setup-nps-for-radius-authentication-in-active-directory/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Wednesday, February 21, 2018 8:50 AM
    Friday, February 16, 2018 5:09 AM
  • I used Azure multi-factor authentication server to achieve a similar implementation to what you are planning to do. This works great to protect Windows Servers.

    You can also consider Duo Security as they have interesting options you may want to check. They integrate pretty well with Windows systems.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Wendy Jiang Wednesday, February 21, 2018 8:50 AM
    Sunday, February 18, 2018 9:12 PM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, February 21, 2018 8:50 AM