search

multiOTP / multiOTPCredentialProvider

multiOTP Credential Provider is a V2 Credential Provider for Windows 7/8/8.1/10/2012(R2)/2016 with options like RDP only and UPN name support
Apache License 2.0
228 stars 75 forks source link

Deactivate OTP check fpr certain ip addresses -> resolved by using a gateway in a DMZ #101

Closed skimpel closed 4 months ago

skimpel commented 4 months ago

Hello

It is possible to disable OTP check for local logins and force it for rdp.

Is it conceivable to limit the OTP check for rdp only to certain IP addresses or to deactivate it for certain IP addresses (whitelist/blacklist)?

Thanks

Regards Stefan

multiOTP commented 4 months ago

Hello,

It is possible to disable OTP check for local logins and force it for rdp? Yes, check the options when installing the Credential Provider, and/or check the README ;-)

Is it conceivable to limit the OTP check for rdp only to certain IP addresses or to deactivate it for certain IP addresses (whitelist/blacklist)? No, as the RDP protocol is forwarding the INTERNAL IP address of the RDP client, and not the real IP address Example : if you allow remote access via NAT, a local IP address of 192.168.2.12 will be seen as 192.168.2.12 (ok), BUT, a remote connected computer with a local IP address of 192.168.2.12 using an external IP address of 8.9.10.11 will be seen as 192.168.2.12 (WHICH IS NOT GOOD AT ALL)

Regards,

skimpel commented 4 months ago

This is a pity. I'm connecting via a Remote Desktop Gateway and with netstat -aon I see the client ip address as the gateway's address, which is exactly what I was hoping for. Connections via the Remote Desktop Gateway should result in an OTP check, while local logins from certain local addresses should not require this. Thanks anyway. Stefan

multiOTP commented 4 months ago

Hello Stefan, Try with several connections from several IPs, not only one connection. You will see that you unfortunately cannot match the different netstat -aon output with the RDP sessions login. If you have any solution, we would be glad to add them in our Credential Provider. Regards,

devopsido commented 4 months ago

Skimpel, It sounds like you want to implement MFA at the initial authentication point when users are coming from the internet, is this correct? In this case it would be the authentication that happens at the RD Gateway, but unfortunately there is no interface there to allow a user to enter a second factor. This is why most RD Gateway solutions use push notifications. (see MultiOTP issue #54 - it is in the works)

I do not know your current network layout and I cannot find the relevant parts of the README for permitting a local network to bypass MFA, but could you possibly segment the RD Gateway's (internal) network interface as its own subnet then force MFA for connections from THAT network?

Having the RD Gateway in a DMZ or segmented doesn't seem like a bad idea anyway.

skimpel commented 4 months ago

Hello Stefan, Try with several connections from several IPs, not only one connection. You will see that you unfortunately cannot match the different netstat -aon output with the RDP sessions login. If you have any solution, we would be glad to add them in our Credential Provider. Regards,

I tried several ways and different endpoints.

Connection from public ip (Windows, Linux, mobile phone) via different Remote Desktop Gateways (Microsoft and Thincast): ip address of the connection is always local ip address of the gateway. It doesn't matter whether the gateway is in a dmz or in the same subnet. This also fits with how I understand the Remote Desktop Gateway, because in the actual sense the gateway is the client. Therefore I can distinguish whether the connection comes from externally via the gateway or from an internal address.

I haven't tried NAT redirection because I would NEVER do that (I've had some very bad experiences with it).

I don't know which address the multiOTP credential provider ultimately sees, but in Windows I can't see any other address, neither via netstat nor in the event logs. For my specific situation, a whitelist whose addresses deactivate 2FA would be the ideal solution.

skimpel commented 4 months ago

Skimpel, It sounds like you want to implement MFA at the initial authentication point when users are coming from the internet, is this correct? In this case it would be the authentication that happens at the RD Gateway, but unfortunately there is no interface there to allow a user to enter a second factor. This is why most RD Gateway solutions use push notifications. (see MultiOTP issue #54 - it is in the works)

I do not know your current network layout and I cannot find the relevant parts of the README for permitting a local network to bypass MFA, but could you possibly segment the RD Gateway's (internal) network interface as its own subnet then force MFA for connections from THAT network?

Having the RD Gateway in a DMZ or segmented doesn't seem like a bad idea anyway.

I tried 2FA with push notifications from the gateway with both the Microsoft Gateway and Thincast. This is working quite well so far. But I would also like to have the option of forcing 2FA for certain internal connections via RDP or not forcing 2FA for certain ones. In my opinion, this is difficult to achieve with a gateway (as far as i know).

By the way: Operating the gateway in a DMZ also seems like a good thing to me ;-)