When a RADIUS server receives a request there are only four different ways it can respond. It either sends back "Access Reject", "Access Challenge", "Access Accept", or it doesn't respond at all. For example if the "shared secret" is wrong then it does not send a reply. The awsfaketestuser test is verifying two things for us. The first is that we have network connectivity and the second is that the shared secret is correct. If either of those two fail then we get no reply back and the call times out. These are the two main reasons MFA setup can fail. In a successful test we are expecting to receive back a reply of "Access Reject". One way you can troubleshoot this is to turn on VPC flow logs to the ENI attached to the AD connector to see if the return traffic from your RADIUS server is reaching the AD connector.
Relevant questions
MFA for Simple AD directory
asked 3 months agoAD Connector MFA Setup Completed but AD Connector not sending RADIUS
asked a year agoWorkspaces MFA setup problem
asked 4 months agoWorkspaces MFA by SMS
asked 4 years agoAzure Cloud MFA support for Workspaces
Accepted Answerasked 3 years agoEnable MFA on AWS Workspaces
asked a month agoAmazon Workspaces without AD connector
Accepted Answerasked 3 years agoWorkSpaces - Inoperable AD Connector
asked 16 days agoCannot enable MFA for account
asked 5 months agoAdding MFA to Workspaces "failed" problem
asked 4 months ago