ADFS 3.0 MFA with RADIUS authentication as second factor (authentication provider for RADIUS)?

0
votes

Please bear with me as I explain the scenario for this to make sense. We have an existing remote access infrastructure that uses RADIUS for 2FA - LDAP (AD) and a 3rd party TOTP provider. The TOTP provider could be RSA, Yubikey, Google, Azure, etc - the RADIUS server is already configured to allow multiple possible TOTP provider as the 2nd factor for authentication.

Now we want to implement ADFS to some of our service providers because of its robust authorization claim rules; but we want to have the security of having a 2nd factor for authentication, and the flexibility that we currently have in our RADIUS setup. Instead of having the same TOTP providers set up for ADFS MFA, which would be redundant, as it is already configured in RADIUS, we thought it would be possible to use the result of RADIUS authentication instead as the 2nd factor for authentication in ADFS. Aside from that, we want to have a single point of entry in our network for obvious security reasons, so we cannot have both ADFS and RADIUS on the perimeter. We of course want to maintain SAML-based SSO so relying on RADIUS alone is not an option. I want to make it clear that we do not want to replace RADIUS since too many systems are already dependent on it; what we want is to consume its existing functionality for ADFS MFA.

We currently have this scenario setup on our F5 APM SAML-IdP so this is not something new. I just want to know if this is possible for ADFS, and how difficult it would be to implement to even consider replacing the current F5 setup. If F5 APM can do it; then perhaps ADFS can too? Well, that's my reasoning at least.

I looked through possible options and found that it is necessary to create a custom authentication provider, as described in this link:

https://blogs.technet.microsoft.com/cloudpfe/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-on-windows-server-2012-r2-part-2/

The instruction is detailed enough to implement this for testing; but I find that it highly depends on the actual source of the 2nd factor for authentication. I found clear instructions for implementing this using Google Authenticator and Yubikey (aside from the readily supported MFA providers); but I could not find instructions on creating an authentication provider for RADIUS.

Is this even possible? Can anyone point me to the right direction?

2
c#.netauthenticationadfsradius

2 Answers

0
votes

It should be possible for you to do this. Some notes based on what you mentioned

  • Since you mentioned that you have multiple TOTP providers, you will need the adapter in ADFS to ask for the TOTP provider
  • Once you have the TOTP provider, you can control the input form for this. This can be handled generically in an edit field who's UX you can control via Java Script
  • Once you have the provider ID and the OTP, I'm assuming that you can call this through some RADIUS API to perform the validation and get back a result.

Hope that helps.

Thanks //Sam (@MrADFS)

0
votes

For anyone who's wondering; I was able to implement this by creating a custom authentication provider as described in the technet blog I posted in the question:

https://blogs.technet.microsoft.com/cloudpfe/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-on-windows-server-2012-r2-part-2/

I used a .NET class in this link to implement a RADIUS client for the provider since I could not find any other .NET API:

http://nradius.nw-network.com/web/

Anyway, it worked perfectly! Too bad I could not find out who developed that class but I did send an anonymous thanks.