From d6c918a7f16b9514bba103ebc9755c5e3577e8e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakob=20Aar=C3=B8e=20Dam?= Date: Tue, 28 Apr 2015 15:32:03 +0200 Subject: [PATCH 1/4] Update README.md --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 470c1a2..fd88d61 100644 --- a/README.md +++ b/README.md @@ -49,5 +49,9 @@ $ restart-server.bat ## Acknowledgements -* Claus Isager - for the proof of concept two factor RDS authentication +* Claus Isager - for the first Open Source two factor RDS authenticator; which this project is based upon. * Nikolay Semov - for the core RADIUS server + +## License + +RDS Factor is an open source project, sponsored by [Origo Systems A/S](https://origo.io), under the GNU general public license version 3. From 65117f24f86a384fd3a3a75e409d1b15b73faeba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakob=20Aar=C3=B8e=20Dam?= Date: Wed, 29 Apr 2015 09:38:43 +0200 Subject: [PATCH 2/4] Update README.md --- README.md | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index fd88d61..f93c1cf 100644 --- a/README.md +++ b/README.md @@ -3,8 +3,12 @@ Two-factor authentication for Remote Desktop Services (RDS). RDS Factor consist of two components: -* A server component that talks RADIUS with RD Web and the RD Gateway -* An updated version of the RD Web pages that interacts with the RADIUS server and ask users to enter one-time passwords sent to their phone before letting them in. +* A server component that talks RADIUS with RD Web and the RD Gateway. +* An updated version of the RD Web pages that interacts with the RADIUS server and an opt-in multi-factor form. + +RDS Factor works by sending an SMS to users -- after they authenticate with username / password -- which when entered allow them entrance to RD Web. When users click on an applicaiton in RD Web a window is opened in the gateway for that user. In that way, users that are not authenticated via RD Web can't get access through RD Gateway. Compare this to the standard RDS setup, where there is no way to share state between RD Web and RD Gateway, meaning that the gateway is always open for user / password only authentication. + +It is also possible to disable two factor authentication in RDS Factor. In this case, RDS Factor still maintains state between RD Web and RD Gateway, ensuring that users have logged into RD Web before connections are allowed through the gateway. That means custom multi-factor authenticators can be put in front of RD Web and also protect the gateway. Tested on Windows 2012 R2. @@ -20,31 +24,30 @@ An RDS setup. There are many options for orchestrating the RDS setup; the minima RDS factor comes with a customized version of the RD Web pages. To install these run: ``` -$ install-web.bat +C:\RDSFactor> install-web.bat ``` -After install go and configure the application in IIS. RDWeb -> Pages -> Application Settings. You should configure the following settings: -* RadiusServer (IP of the radius server) -* RadiusSecret (Shared secret used for encryption of RADIUS traffic) +After install go and configure the application in IIS. `RDWeb -> Pages -> Application Settings`. You should configure the following settings: +* `RadiusServer` (IP of the radius server) +* `RadiusSecret` (Shared secret -- of your own chosing -- used for encrypting RADIUS traffic) ### RADIUS server installation The RADIUS server component can be installed on any server reacheable by both the RD Web and the RD Gateway. To install the server as a service run: ``` -$ install-server.bat +C:\RDSFactor> install-server.bat ``` -After install go and configure the server. Open the file RDSFactor/server/bin/release/conf.ini for editing. You should configure the following settings: -* LDAPDomain (IP of server to authenticate the user against and lookup phonenumber) -* ADField (LDAP attribute to use for looking the user's phonenumber) -* {client}={shared secret} should be added in the clients section - -Note that the client should be the IP of RD Web, and the shared secret must match the value of RadiusSecret in the IIS. +After install go and configure the server. Open the file `RDSFactor/server/bin/release/conf.ini` for editing. You should configure the following settings: +* `LDAPDomain` IP of server to authenticate the user against and lookup phonenumber +* `ADField` LDAP attribute to use for looking the user's phonenumber +* `{client}={shared secret}` IP of RD Web and shared secret -- same as `RadiusSecret`-- for encryption +* `Provider` URL of SMS provider. RDS Factor inserts the number and a message in the two variable, `***NUMBER***` and `***TEXTMESSAGE***`, in the provider URL. An example URL using the SMS gateway cpsms: https://www.cpsms.dk/sms/?username=myuser&password=mypassword&recipient=***NUMBER***&message=***TEXTMESSAGE***&from=CPSMS To reload the configuration restart the RADIUS server service by running ``` -$ restart-server.bat +C:\RDSFactor> restart-server.bat ``` ## Acknowledgements From 2a2039001ee03818fe49074d0388815ab5be8cde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakob=20Aar=C3=B8e=20Dam?= Date: Wed, 29 Apr 2015 09:39:21 +0200 Subject: [PATCH 3/4] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f93c1cf..b260efb 100644 --- a/README.md +++ b/README.md @@ -28,8 +28,8 @@ C:\RDSFactor> install-web.bat ``` After install go and configure the application in IIS. `RDWeb -> Pages -> Application Settings`. You should configure the following settings: -* `RadiusServer` (IP of the radius server) -* `RadiusSecret` (Shared secret -- of your own chosing -- used for encrypting RADIUS traffic) +* `RadiusServer` IP of the radius server +* `RadiusSecret` Shared secret -- of your own chosing -- used for encrypting RADIUS traffic ### RADIUS server installation From 386606b4627ff294022716b476fb64df5c74b26a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jakob=20Aar=C3=B8e=20Dam?= Date: Wed, 29 Apr 2015 09:41:42 +0200 Subject: [PATCH 4/4] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b260efb..c024167 100644 --- a/README.md +++ b/README.md @@ -40,8 +40,8 @@ C:\RDSFactor> install-server.bat ``` After install go and configure the server. Open the file `RDSFactor/server/bin/release/conf.ini` for editing. You should configure the following settings: -* `LDAPDomain` IP of server to authenticate the user against and lookup phonenumber -* `ADField` LDAP attribute to use for looking the user's phonenumber +* `LDAPDomain` IP of LDAP server to authenticate user and lookup phonenumber against +* `ADField` LDAP attribute to use for looking up the user's phonenumber * `{client}={shared secret}` IP of RD Web and shared secret -- same as `RadiusSecret`-- for encryption * `Provider` URL of SMS provider. RDS Factor inserts the number and a message in the two variable, `***NUMBER***` and `***TEXTMESSAGE***`, in the provider URL. An example URL using the SMS gateway cpsms: https://www.cpsms.dk/sms/?username=myuser&password=mypassword&recipient=***NUMBER***&message=***TEXTMESSAGE***&from=CPSMS