locked
ADFS 3.0 MFA with RADIUS authentication as second factor (authentication provider for RADIUS)? RRS feed

  • Question

  • Please bear with me as I explain the scenario for this to make sense. We have an existing remote access infrastructure that uses RADIUS for 2FA - LDAP (AD) and a 3rd party TOTP provider. The TOTP provider could be RSA, Yubikey, Google, Azure, etc - the RADIUS server is already configured to allow multiple possible TOTP provider as the 2nd factor for authentication.

    Now we want to implement ADFS to some of our service providers because of its robust authorization claim rules; but we want to have the security of having a 2nd factor for authentication, and the flexibility that we currently have in our RADIUS setup. Instead of having the same TOTP providers set up for ADFS MFA, which would be redundant, as it is already configured in RADIUS, we thought it would be possible to use the result of RADIUS authentication instead as the 2nd factor for authentication in ADFS. Aside from that, we want to have a single point of entry in our network for obvious security reasons, so we cannot have both ADFS and RADIUS on the perimeter. We of course want to maintain SAML-based SSO so relying on RADIUS alone is not an option. I want to make it clear that we do not want to replace RADIUS since too many systems are already dependent on it; what we want is to consume its existing functionality for ADFS MFA.

    We currently have this scenario setup on our F5 APM SAML-IdP so this is not something new. I just want to know if this is possible for ADFS, and how difficult it would be to implement to even consider replacing the current F5 setup. If F5 APM can do it; then perhaps ADFS can too? Well, that's my reasoning at least.

    I looked through possible options and found that it is necessary to create a custom authentication provider, as described in this link:

    https://blogs.technet.microsoft.com/cloudpfe/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-on-windows-server-2012-r2-part-2/

    The instruction is detailed enough to implement this for testing; but I find that it highly depends on the actual source of the 2nd factor for authentication. I found clear instructions for implementing this using Google Authenticator and Yubikey (aside from the readily supported MFA providers); but I could not find instructions on creating an authentication provider for RADIUS.

    Is this even possible? Can anyone point me to the right direction?

    Thursday, March 17, 2016 5:50 PM

Answers

  • For anyone who's wondering; I was able to implement this by creating a custom authentication provider as described in the technet blog I posted in the question:

    https://blogs.technet.microsoft.com/cloudpfe/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-on-windows-server-2012-r2-part-2/

    I used a .NET class in this link to implement a RADIUS client for the provider since I could not find any other .NET API:

    http://nradius.nw-network.com/web/

    Anyway, it worked perfectly! Too bad I could not find out who developed that class but I did send an anonymous thanks. 

    • Marked as answer by PSapprentice Friday, March 25, 2016 9:04 AM
    Friday, March 25, 2016 9:04 AM

All replies

  • Azure seems to readily support RADIUS for MFA... I'm not sure how close the technology of Azure is to ADFS; but if it can boil down to how they implement the communication in .NET; that would be great.
    Thursday, March 17, 2016 6:12 PM
  • ADFS does not support RADIUS as an authentication method I'm afraid, much as I would like to see it personally. Perhaps they'll introduce this functionality in a future version of the Web Application Proxy (WAP) but it's not possible today to my knowledge.

    http://blog.auth360.net

    Thursday, March 17, 2016 8:08 PM
  • Hi Mylo, thanks for your response. I kind of expected ADFS to not support RADIUS on the fly; but since .NET appears flexible enough to provide the tools to create adapters for custom authentication providers; I would think this is doable or someone out there could have done it already. The fact that Azure, F5, and possibly other technologies have this capability ready by default, makes me think there is a way to do this in ADFS through .NET.

    I'll keep this post open for sometime in case (hopefully) someone has an idea.

    Friday, March 18, 2016 9:56 AM
  • For anyone who's wondering; I was able to implement this by creating a custom authentication provider as described in the technet blog I posted in the question:

    https://blogs.technet.microsoft.com/cloudpfe/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-on-windows-server-2012-r2-part-2/

    I used a .NET class in this link to implement a RADIUS client for the provider since I could not find any other .NET API:

    http://nradius.nw-network.com/web/

    Anyway, it worked perfectly! Too bad I could not find out who developed that class but I did send an anonymous thanks. 

    • Marked as answer by PSapprentice Friday, March 25, 2016 9:04 AM
    Friday, March 25, 2016 9:04 AM
  • Thanks for the update and sharing your experience/knowledge!. Glad to see you got it working.

    http://blog.auth360.net

    Saturday, March 26, 2016 11:44 AM
  • Thanks for sharing your experience and helpful information.

    Could you please share some links/documentation related to "setting up MFA in ADFS using Google Authenticator". Is there any out-of-the-box functionality available in both ADFS and Google Authenticator for integration with less or no custom development?

    FYI, we have both Windows 2012 R2 and 2016 ADFS currently setup with SAML and OpenIDConnect application using WIA authentication.

    Tuesday, October 9, 2018 3:33 AM