Push Approved but RDP not working

[zaffry007]

hi I came across your script when I was trying to set up MFA for my RDS farm because Okta's radius is not working properly and they are not providing any support at the moment so I just came across your script and it's working up to the point where I get prompted for the MFA so when I click yes and I approve it it does show up on the logs as the approval is pushed but for some reason nothing happens on the RDP session like it just keeps on saying initiating connection is this something common have you come across this issue do you think like I have to make any changes in any way on maybe the gateway server or something could you please let me know it would be a great help.

[bdalpe]

@zaffry007 do you have any logs from the app you can sanitize and share?

[zaffry007]

@bdalpe whats the location the app saves the logs ?

[bdalpe]

@zaffry007 If you're running in a Docker container, you can grab the logs using:

docker container logs <container> > radius.log

If you used the docker-compose.yml file provided in this project, you can grab the logs using:

docker-compose logs radius > radius.log
# or
docker compose logs radius > radius.log

[zaffry007]

hi @bdalpe I am running it on Ubuntu Server not in docker

[bdalpe]

To make sure I understand, you ran the program like this in the instructions? https://www.reddit.com/r/hermanmiller/top/?t=year

pip3 install -r requirements.txt
/bin/sh run.sh

If that's the case, then you can tee the logs to a file:

/bin/sh run.sh | tee -a radius.log

[zaffry007]

Hi @bdalpe Please find attached

radius.log

[bdalpe]

@zaffry007 which users are experiencing this issue? Are your users opening multiple sessions at the same time to the RDG? Any additional info you can share with me that might help troubleshoot?

Based on the log file you attached:

• randerson is successfully approving pushes, but also timeouts are also happening.
• arcbill is successfully approving pushes, but also timeouts are also happening.
• asgray is receving an error from the Okta API: Not found: Resource not found: asgray (User)

[zaffry007]

both rander and arcbill they are approving the pushes but nothing happening it just timeouts after 60seconds

[zaffry007]

they are opening only a single session but for some reason for the 30 second or 60 second time out the MFA is pushed multiple times on Okta. But even if approved nothing happens it just times out but shows as approved on the logs.

[bdalpe]

@zaffry007 It sounds like your timeout may be set too low for desired behavior. Can you tell me what the settings are for your configured Load Balancing options?

Go to your NPS -> Remote RADIUS Server Groups -> Open the configured server group for this application -> Edit the RADIUS server configured -> Got to the Load Balancing tab.

Take a look at this doc for steps 1-8 to find the settings: https://docs.secureauth.com/arculix/en/microsoft-remote-desktop-gateway-radius-integration.html

[zaffry007]

@bdalpe Thank you for coming back .the load balancing options are set to 60 seconds both both timeouts

[bdalpe]

In the app, the polling timeout to Okta is just above 60 seconds since we're checking the status every 4-5 seconds (roughly 65 seconds total to timeout and failure result sent back to the NPS). You can configure this with the OKTA_POLL_TIMEOUT environment variable.

https://github.com/bdalpe/RADIUS-to-Okta-MFA/blob/fd1747e3d2b9b307eaf7c5389924279bb38cb951/okta.py#L49

If your timeout is configured at 60 seconds, the NPS is thinking Okta timed out and sends a new request which is the behavior I believe you're seeing. I'd recommend you configure the "Number of seconds without response before request is considered dropped" to something around 120 seconds so that you can always get back a failure response.

Try that out and let me know if you get better behavior.

[bdalpe]

@zaffry007 Please reopen if needed, otherwise I'm assuming changing the timeout settings has resolved the issue.