Authentication policy for RDP

santonic — Mon, 08 Oct 2018 08:10:09 GMT

I have succesfuly implemented auth policy for http and https (with decryption).

But I can't get it to work for RDP. Yes, I know I need GP client for non-browser protocols.

Customer is using MS MFA server. As it's not supported by PA as MFA server we configured it as Radius server.

I have auth profile which uses Radius server profile towards MS MFA.

Captive portal is enabled, in redirect mode, redirects to internal interface of PA, response pages are enabled in mgmt profile, and it uses configured auth profile for MFA (Radius).

We have an auth policy for any service to single server with authenticaon method web-form and same authentication profile for MFA (Radius).

I've set Enable Inbound Authentication Prompts from MFA Gateways to Yes and I entered both PA interface with captive portal and MFA server address as Trusted MFA Gateways.

When we try a RDP connection; we see the connection in session browser, details say that it hits the correct auth rule, has value False for captive portal and nothing happens. Session isn't logged in traffic log, no new entries in authentication logs, nothing in authd.log.

Packet capture shows succesful TCP 3 way handshake and reset form server soon after.

Re: Authentication policy for RDP

MichaelMelone — Tue, 09 Oct 2018 22:24:31 GMT

Did you open udp port 4501 on the host firewall of the host running the GP client? Only with that port open on the host will you see the authentication prompt pop up from the GP client. I had to do this for SSH auth policy. The service in the auth policy will be the TCP RDP port.

Re: Authentication policy for RDP

santonic — Wed, 10 Oct 2018 06:12:23 GMT

Yeah I did. But didn't see any traffic on that port. Also didn't see that traffic in packet caprure I did on the PC from where I was testing.

topic Re: Authentication policy for RDP in General Topics

Authentication policy for RDP

Re: Authentication policy for RDP

Re: Authentication policy for RDP