By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Adding MFA to Workspaces "failed" problem

0

I have been attempting to add Mult-Factor Authentication to my workspaces account for my user base. I have configured the radius server using Free Radius from this post here:

https://aws.amazon.com/blogs/desktop-and-application-streaming/integrating-freeradius-mfa-with-amazon-workspaces/

and all goes according to plan. I have the FreeRadius server using LinOTP running. The problem is in the very last step, when I go to enable MFA in workspace , I put in the information and it just says "failed".

Specifically,

Step 6: Enable MFA on your AWS Directory Communication between the AWS Managed Microsoft AD RADIUS client and your RADIUS server require you to configure AWS security groups that enable communication over port 1812. Edit your Virtual Private Cloud (VPC) security groups to enable communications over port 1812 between your AWS Directory Service IP end points and your RADIUS MFA server. Navigate to your Directory Service console Click the Directory you want to enable MFA on. Select Network & Security tab, scroll down to Multi-factor authentication, click Actions and Enable. In Enable multi-factor authentication (MFA) configure MFA settings: Display label: Example RADIUS server IP address(es): Private IP of the Amazon Linux 2 instance Port: 1812 Shared secret code: the one set in /etc/raddb/clients.conf Confirm shared secret code: as preceding Protocol: PAP Server timeout (in seconds): 30 Max retries: 3 This operation can take between 5-10mins to complete. Once the Radius status is “completed” you can test MFA authentication from the WorkSpace client.

I really have two questions:

  1. How do I do this part? Edit your Virtual Private Cloud (VPC) security groups to enable communications over port 1812 between your AWS Directory Service IP end points and your RADIUS MFA server. Maybe I'm not setting up the endpoints correctly ? Do I go to the VPC and add endpoints there? CAn you pleae be specific.

  2. How do I get more information from just the "failed" in red --- how do I access the creation logs?

Thanks in advance,

Jon

Topics
End User ComputingNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon WorkSpacesAmazon VPCSecurityNetwork Security
Language
English
AWS-User-6508273
asked 2 years ago1063 views
2 Answers
0

Hello Jon, You need to allow connectivity between your Domain Controllers and Radius Server on port 1812. If this is properly configured, I would recommend that you open a support case with Premium Support so they can provide additional logging details.

Another option is to enable some port listener in your radius server so that you can see if you receive packages from the Domain Controllers IPs to verify ports are not blocked.

Thank you Juan

AWS
EXPERT
JuanmaGomezOk
answered 2 years ago
0

Thank you Juan for your answer. I have solved it by running free radius in debugging mode and watching the logs. What was happening was that despite using the internal IP from the VPC (both are using the same VPC) Microsoft AD was trying to do the request through the external IP and the FreeRadius server was rejecting the call as foreign. I fixed it by creating an endpoint within the VPC from workspaces to EC2. Then it started working internally and authenticated because it never left the VPC. The key realization was setting up the endpoints.

AWS-User-6508273
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content