By using AWS re:Post, you agree to the Terms of Use

Multi-Factor Fails To Enable On Directory Service For DUO/VPN setup

0

Hey there, been having trouble trying to enable Multi-Factor for Directory service in order to integrate DUO with my VPN client. I have followed to the post here to a tee but when I go to enable MFA it keeps failing: https://aws.amazon.com/blogs/networking-and-content-delivery/using-microsoft-active-directory-mfa-with-aws-client-vpn/

So I have everything checked off. I do have an EC2 instance joined to the domain. I have rules in place that allow the radius port through. I have also tested connectivity to the EC2 instance from Directory service and it reaches it fine. I have my config for DUO setup according the post above, matching DUO keys and verified the shared radius key is good. But with that being said, its not very clear on the EC2 instance should have radius /NPS role installed and configured. It only mentions having a radius server. So just to see, I did install the NPS role and set it up for Directory service as a client. When trying to re-enable MFA, I do see DS trying to connect and creates an error in the log. Event ID:6273 Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User: Security ID:NULL SID Account Name:fakeusername Account Domain:MYDOMAIN Fully Qualified Account Name:MYDOMAIN\fakeusername

And just to note, the "fakeusername" is actually what is appearing in the log. Now there is no area in the whole setup where you create a system account or some account for DS to connect to radius server so I am bit puzzled in this. Obviously, there is not user by that name and for fun I did create one with the radius secret just to see if that would do anything but of course it still fails. If there is anyone that help provide any insight to this, I would appreciate your time. Thanks! Chris.

2 Answers
0
Accepted Answer

This is now resolved. I was able to enable MFA. Just needed to add the 2nd IP of DS to the config file which seemed to work. Thanks for the previous poster for chiming in.

answered 2 months ago
0

I suspect you missed configuring your"Install the Duo Authentication Proxy". To integrate Duo with your RADIUS device, you will need to install a local Duo proxy service on a machine within your network. This Duo proxy server will receive incoming RADIUS requests from your RADIUS device, contact your existing local LDAP/AD or RADIUS server to perform primary authentication if necessary, and then contact Duo's cloud service for secondary authentication. Would you please verify that you have configured this step: https://duo.com/docs/radius

Configuring proxy will allow you to setup something like this: [ad_client] host=1.2.3.4 host_2=1.2.3.5 service_account_username=duoservice service_account_password=password1 search_dn=DC=example,DC=com security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com

with this in place you should be able to authenticate with correct service account name and password.

answered 2 months ago
  • Thanks! You were not too far off. I did get this working....go figure, as soon as I post this. :) In any case, I failed to add the second IP of DS to my config file and that did the trick.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions