Workspaces MFA setup problem

Question

I am trying to configure Workspaces to use MFA.  I have tried setting up MFA in the AD Connector area and then tried in the Workspaces Directory area (not at the same time).  In both cases it goes from Creating to Failed.  On the MFA server we see a request from our expected AWS external IP with user awsfaketestuser during the MFA creation.  The security group used by AD connector has 1812 TCP/UDP allowed inbound and outbound is using a NAT gateway.    As we see the request from AWS on our RADIUS server, we don't suspect a network problem.  We have also tried creating a user on the RADIUS host called awsfaketestuser and setting it to disabled.   I'm not sure how to get more information about the error or how to fix the problem.

Answer

When a RADIUS server receives a request there are only four different ways it can respond.  It either sends back "Access Reject", "Access Challenge", "Access Accept", or it doesn't respond at all.  For example if the "shared secret" is wrong then it does not send a reply.  The awsfaketestuser test is verifying two things for us.  The first is that we have network connectivity and the second is that the shared secret is correct.  If either of those two fail then we get no reply back and the call times out.  These are the two main reasons MFA setup can fail.  In a successful test we are expecting to receive back a reply of "Access Reject".  One way you can troubleshoot this is to turn on VPC flow logs to the ENI attached to the AD connector to see if the return traffic from your RADIUS server is reaching the AD connector.

Workspaces MFA setup problem

Relevant questions

MFA for Simple AD directory

AD Connector MFA Setup Completed but AD Connector not sending RADIUS