- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-08-2018 01:09 AM - edited 10-08-2018 01:10 AM
I have succesfuly implemented auth policy for http and https (with decryption).
But I can't get it to work for RDP. Yes, I know I need GP client for non-browser protocols.
Customer is using MS MFA server. As it's not supported by PA as MFA server we configured it as Radius server.
I have auth profile which uses Radius server profile towards MS MFA.
Captive portal is enabled, in redirect mode, redirects to internal interface of PA, response pages are enabled in mgmt profile, and it uses configured auth profile for MFA (Radius).
We have an auth policy for any service to single server with authenticaon method web-form and same authentication profile for MFA (Radius).
I've set Enable Inbound Authentication Prompts from MFA Gateways to Yes and I entered both PA interface with captive portal and MFA server address as Trusted MFA Gateways.
When we try a RDP connection; we see the connection in session browser, details say that it hits the correct auth rule, has value False for captive portal and nothing happens. Session isn't logged in traffic log, no new entries in authentication logs, nothing in authd.log.
Packet capture shows succesful TCP 3 way handshake and reset form server soon after.
10-09-2018 03:24 PM
Did you open udp port 4501 on the host firewall of the host running the GP client? Only with that port open on the host will you see the authentication prompt pop up from the GP client. I had to do this for SSH auth policy. The service in the auth policy will be the TCP RDP port.
10-09-2018 11:12 PM
Yeah I did. But didn't see any traffic on that port. Also didn't see that traffic in packet caprure I did on the PC from where I was testing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!