By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Active Directory MFA

1

I've been following this recipe for enabling MFA.... https://medium.com/@sjsumit10/enable-mfa-for-aws-managed-ad-using-freeradius-with-google-authenticator-caaabc450c0b

The procedure works well up until I reach the final step where MFA is enabled for the AD using the AWS console. The step fails with no obvious information as to why. I believe I've verified that UDP port 1812 is open. Where can I look for hints as to what the problem is? CloudWatch logs are not providing much insight.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Directory ServiceAWS Management Console
Language
English
AWS-User-jht
asked 2 years ago400 views
1 Answer
1

Hello! Managed AD attempts to communicate with the RADIUS server over UDP 1812 by default, sends a "awsfakeuser" authentication request and expects a "Access-Reject" message back from RADIUS. If Managed AD does not receive a response, or receives a different response other than "Access-Reject", MFA will fail to enable.

Ensure that UDP 1812 is allowed both inbound and outbound on the Directory Service's security group. Also ensure that the FreeRADIUS instance allows the traffic. Check the FreeRADIUS logs to ensure the traffic is received and that it sends a response back. You can also create a VPC Flow Log [1] to monitor the packets seen from the AWS side, or do a packet capture on the FreeRADIUS side. I have personally tested the guide you are using and can confirm it works.

If you still run into issues, please open a new support case with us and we will be ready to assist you.

  1. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
AWS
SUPPORT ENGINEER
Francisco_L
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content