Implementing a form of port knocking + Phone Factor = 2 Factor auth for RDP?

Posted by jshin47 on Server Fault See other posts from Server Fault or by jshin47
Published on 2012-09-04T21:30:21Z Indexed on 2012/09/04 21:40 UTC
Read the original article Hit count: 207

Filed under:
|
|
|
|

I have been looking into how to secure a publicly-available RDP endpoint and want to implement our two-factor authentication RADIUS server, PhoneFactor. I would like to implement the following process:

  1. User opens up web app in browser
  2. In web app, user enters username + password, initiates RADIUS auth
  3. Phone factor calls user to complete auth
  4. Once user is authenticated, port 3389 is opened on user's IP on pfSense firewall.
  5. After some amount of time, firewall rule is removed for that IP

I would like to know the following:

  1. Is this a typical setup? If it is a bad idea, please explain why.
  2. If it is possible, are there any packages that assist with this? Specifically, the third step, where the appropriate firewall rule would need to be added...

Edit: I am aware of TS Web Gateway, but I want the users to be able to use the traditional RDP client...

© Server Fault or respective owner

Related posts about firewall

Related posts about authentication