Forum / Devolutions Password Server - Support

2FA RADIUS Feature Info

  • Create an Issue
  • Cancel

Hi Support,
We are looking to implement 2FA into RDM/Password server. We have an existing RADIUS based 2FA platform which works nice as it has push notification we need to use. But I'm not sure how or if DPS can pass through the authentication requests to the RADIUS server. After turning on the RADIUS 2FA setting for a test user I get prompted after the initial Authentication for the RADIUS code. Obviously this is not a standard RADIUS auth being sent (like VASCO and others use) for 2FA auth.
Do you have some documentation available or have some suggestions. Basically what we require is the initial authentication credentials are checked against AD (working now) then passed through to RADIUS server to confirm credentials (which will invoke our 2FA platform which is WatchGuard AuthPoint to send a push notification to verify access).
Any information or assistance would be appreciated.

thanks
Jason

Clock30 days

upon some deeper inspection I'm not seeing the RADIUS packets hit the radius server. It looks like DPS is not even sending the request. If i press the test button in the radius setup window in DPS admin -> password server settings -> two factor -> radius it says everything is "successful" no matter what credentials I put in there. I think there might be a bug.

Clock30 days


Hello,

This is a known issue and the engineering team have added some logs in the DPS to see what is happening with the Radius 2FA. As we do not own such Radius configuration, are you interested to help us identifying the issue?

If so, please go in Administration - Password Server Settings - Logging on the DPS web interface and enable the Log Debug Information option to raise the debug level. Then, please try to login with a Radius 2FA configured account and send us all message logs related to the Radius 2FA from the DPS logs you will find in Reports - Data Source Logs on the DPS web interface.

Best regards,



Érica Poirier

signaturesignature

Clock30 days


Hello Erica

I also did this update to use Azure MFA within RADIUS. Now RADIUS Authentication does not work at all.

What is the ETA for the fix?

Honestly, you should really more internal testing. Setting up RADIUS is not rocket science.

Thank you, John

Clock24 days

Hello John,

Thank you for your feedback.

In fact, the Azure MFA within Radius is not available yet with DPS. There is already a feature request about this on our forum here. Let me know if that is what your want to implement with your DPS instance.

Best regards,



Érica Poirier

signaturesignature

Clock23 days


Hi Erica

I don't need Azure MFA Support for the Password Server, I only need a working RADIUS feature with a 30 - 60 seconds timeout. The MFA is done by the RADIUS Server and the installed NPS extensions for Azure MFA. With this method, I can use every service which supports RADIUS together with Azure MFA, the service does not have to care about Azure MFA as long I can set a long enough timeout for the RADIUS request because the user needs enough time to confirm the request.

Best regards, John

Clock21 days


Hi John,

Thank you for the information.

The engineering team is working on the Radius issue to resolve it but we cannot provide a time frame for the release of the fix. I will ask for a priority increase on the ticket. Once an update will be available, I will keep you posted.

Best regards,



Érica Poirier

signaturesignature

Clock21 days

Hi Érica

finally got those log files. Please see attached. Would be great to get this sorted. But it would also be good to get clarification on how DPS RADIUS auth is supposed to work for 2FA. Most other implementations of RADIUS for 2FA simply send the submitted username/password (which may contain 2FA code at end). In our case we need that submitted to the radius server and that will perform a push to the token for multi factor auth.


We have transitioned the team to google authenticator 2FA in the mean time but that also appears to be a little buggy with a lot of issues around timing of input of the 2FA code and a lot of tokens needing to be reset several times before they work correctly.

Thanks

Jason

download.csv
Clock11 days

Hello,

Thank you for the information and the logs file. I will inform our engineering team about the Radius 2FA method you have described.

The error message you have in the logs has already been fixed internally and once an update will be available, I will keep you posted. Incidentally, we cannot provide a timeline for its delivery.

Best regards,




Érica Poirier

signaturesignature

Clock10 days

Hi,

we have exactly the same problem and so radius is not working at all.
Will the fix be inlcuded in next DPS update end of february?

Regards,
Ingo

Clock4 days


Hello Ingo,

The fix for the ArgumentException - Destination array was not long enough error will be in the next DPS version 2020.1.

Best regards,



Érica Poirier

signaturesignature

Clock4 days