How can I use Duo with my AWS Managed Microsoft AD to provide multi-factor authentication for end users connecting to an AWS Client VPN endpoint?

Short Description

AWS Client VPN supports the following types of end user authentication:

• Mutual authentication
• Active Directory authentication
• Dual authentication (Mutual + Active Directory authentication)

The MFA service must be enabled on the Active Directory (not directly on the Client VPN). Be sure that your Active Directory type supports MFA. MFA functionality is supported by both new and existing Client VPNs.

To set up MFA for end users connecting to a Client VPN endpoint using Duo:

• First, complete the IT administrator configuration tasks to set up the required services.
• Then, have each end user complete the end user configuration tasks to establish their secure connection to the Client VPN endpoint.

Resolution

IT administrator configuration tasks:

Create and configure an AWS Managed Microsoft AD

1.    Create an AWS Managed Microsoft AD directory.

2.    Join an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance to the AWS Managed Microsoft AD directory.

This instance is used to install services in the Active Directory. The instance is also used to manage users and groups in the Active Directory. When launching the instance, be sure that the instance is associated with the Active Directory. Also, be sure to add an IAM role with the "AmazonEC2RoleforSSM" policy attached.

3.    Install the Active Directory services, and then configure the Active Directory users and groups.

First, log in to (or use a Remote Desktop Connection to connect to) the instance that you created in step 2 using the following command. Be sure to replace <Your Admin password> with the Admin password that you created for the Active Directory in step 1.

User name: Admin@ad_DNS_name
Password: <Your Admin password> 

Then, install the following services using PowerShell (in Admin mode):

install-windowsfeature rsat-ad-tools, rsat-ad-admincenter, gpmc, rsat-dns-server -confirm:$false

Next, create Active Directory users and Active Directory groups. Then, add these users to their appropriate Active Directory groups.

Note: These Active Directory users are the same end users who'll connect to the AWS Client VPN Endpoint.

Finally, use the following command to retrieve the SIDfor your Active Directory groups. Be sure to replace <Your-AD-group-name> with your Active Directory group name.

Get-ADGroup -Identity <Your-AD-group-name>

Note: You need the SID to authorize the Active Directory users of this group when you configure the AWS Client VPN authorization rules.

Install and configure Duo

1.    Sign up for a Duo account on the Duo website, and then log in.

2.    Install the Duo application on your mobile device. When you receive a text or push notification from Duo, follow the instructions to authenticate your Duo account.

3.    In your Duo web account, choose Applicationsfrom the navigation pane on the left.

4.    Choose RADIUSto install it.

5.    Choose Users, Add Userfrom the navigation pane.

6.    For Username, enter the user names of your end users. These user names must match with the Active Directory user's names and the user name that your end users use later to authenticate their connection to the Client VPN endpoint.

7.    Select each individual user and add their phone numbers. This phone number is where end users receive their respective MFA codes.

8.    Choose Activate Duo Mobile, and then choose Generate Duo Mobile Activation Codefor each user. You can use two methods to notify users of their activation link. The first method is to email this activation link to each end user by choosing Send Instructions by SMS. The second method is to choose to skip this step. Then, copy the respective activation links for each end user and send the links to them manually.

9.    Launch another EC2 Windows instance. This instance is used to configure and manage the Duo Radius application. Be sure that the instance is associated with the Active Directory, has the correct AWS Identity and Access Management (IAM) role, and has internet access. Verify its security groups, network access control list, and route table.

10.    Log in to the Radius EC2 instance that you launched in step 9. Then, install the Authentication Proxy for Windows from the Duo website.

11.    Navigate to the "authproxy.cfg" config file at C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg.

12.    Edit the config file as follows:

[duo_only_client]
[radius_server_auto]
ikey=XXX
skey=YYY
api_host=api-ZZZ.duosecurity.com
radius_ip_1=<AD-DNS-address#1>
radius_secret_1=<My-password>
radius_ip_2=<AD-DNS-address#2>
radius_secret_2=<My-password>
failmode=safe
client=duo_only_client
port=1812

To find the values for ikey(integration key), skey(secret key), and api_host(your Duo's API hostname):

• Log in to your Duo web account on the Duo website.
• Choose Dashboard, Applications, Radius.
• Refer to the values under Details.

To find the values for radius_ip_1and radius_ip_2:

• Log in to the AWS Management Console.
• Choose Directory Service, and then choose Directories.
• Select your Active Directory.
• Under Details, see address_ip#1and address_ip#2in the DNS address section.
  Note: If you're using AWS AD_connector, then address_ip#1and address_ip#2are the IPs of your AD_connector.

Optionally, you can:

• Set your own radius_secret_key.
• Change the port, if needed.

Modify the security group configuration

1.    Log in to the AWS Management Console.

2.    Choose Security groups.

3.    Select the security group for the directory controllers.

4.    Edit the outbound rule for the security group of the Active Directory to allow UDP 1812 (or the Radius service port) for the destination IP (private IP) of your Radius Server. Or, you can allow all traffic if your use case lets you do so.

Confirm that the Duo authentication service is running

1.    Log in to the Radius EC2 Windows instance.

2.    Under Services, find the Duo Security Authentication Proxy Service. If the service isn't in the Runningstate, choose Start the service.

Enable MFA on your AWS Microsoft Managed AD

1.    Choose Directory Service, and then choose Directories.

2.    Select your Active Directory.

3.    Under Networking & security, choose Multi-factor authentication. Then, choose Actions, Enable.

4.    Specify the following:

• **RADIUS server DNS name or IP addresses:**Enter the private IP address of the EC2 Windows instance.
• **Port:**Enter the port specified in your "authproxy.cfg" file.
• **Shared secret code:**Enter the radius_secret_keyvalue from your "authproxy.cfg" file.
• **Protocol:**Choose PAP.
• **Server timeout:**Set the desired value.
• **Max RADIUS request retries:**Set the desired value.

Create the AWS Client VPN endpoint

1.    After the AWS Microsoft Managed AD and MFA are set up, create the Client VPN endpoint using the Active Directory that the MFA is enabled for.

2.    Download the new client configuration file and distribute it to your end users.
Note: You can download the client configuration file from the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the API command.

3.    Confirm that the client configuration file includes the following parameters:

auth-user-pass
static-challenge "Enter MFA code " 1

**Note:**If you're using dual authentication (for example, Mutual + Active Directory authentication), also be sure to add the client **<cert>**and <key> to the configuration file.

End user configuration tasks:

1.    Follow the activation link provided by your IT administrator to install the Duo application on your mobile device.

2.    Install the AWS Client VPN for Desktop tool.
**Note:**You can also connect to the Client VPN endpoint using any other standard OpenVPN-based client tool.

3.    Create a profile using the client configuration file provided by your IT administrator.

4.    To connect to the Client VPN endpoint, enter your Active Directory user credentials when prompted. Then, enter the MFA code generated by your Duo application.