chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

Organizations can now implement multi-factor authentication (MFA) for users connecting to Amazon Client VPN endpoints, enhancing security for remote access to AWS and on-premises resources. MFA strengthens the security process by requiring not only a username, password, and certificate (the first factor) but also a second authentication code delivered through SMS, an app, or similar methods before access is granted.

To activate MFA for the AWS Client VPN Service, you will need a Remote Authentication Dial-In User Service (RADIUS) MFA server paired with a One-Time Password (OTP) solution. RADIUS is a standard protocol used for authentication, authorization, and accounting.

When selecting an MFA solution, various options are available, including Duo, Okta, or a freeradius server with Google Authenticator, among others. In this blog post, we will use the RADIUS Server with the Duo Authentication Proxy Service and Duo for OTP generation.

This guide will walk you through enabling MFA for your AWS Client VPN users in four key steps:

  1. Setting up and configuring a Duo account.
  2. Configuring your RADIUS server to process Microsoft Active Directory requests.
  3. Setting up Microsoft Active Directory to activate MFA.
  4. Creating the AWS Client VPN.

Getting Started

There are two phases involved in establishing MFA for end users who utilize Duo to connect to a Client VPN endpoint. First, IT administrators must complete the necessary configuration tasks to set up the required services. Next, each end user will need to finish their configuration tasks to create a secure connection to the Client VPN endpoint.

This solution assumes you are already operating Microsoft Active Directory and have an Active Directory Manager instance. For further information on setting up AWS Managed Microsoft AD and creating an AD Manager Instance, refer to this tutorial.

Solution Overview

The accompanying diagram illustrates the components necessary for enabling MFA for AWS Client VPN users. On the left side, you will find the Duo setup covered in Step 1, while the right side depicts your RADIUS server prepared to proxy Microsoft Active Directory requests to Duo for OTP, as discussed in Step 2. Step 3 addresses the steps for activating MFA on Microsoft Active Directory.

Configuration Tasks for the IT Administrator

Step 1 – Duo Account Set-Up and Configuration

  1. Create your Duo account at Duo Signup.
  2. Install the “Duo Mobile” application on your mobile device for managing Duo configurations.
  3. Log in to your Duo web account and configure the following:
    • Under Applications, install RADIUS. You may choose “Username Normalization as Simple” during the setup (optional).
    • Under Users, input usernames that match what end users will enter when connecting to an AWS Client VPN.
    • Add phone numbers for these users so they can receive their OTP. Activate the Duo Mobile application for the users by generating an Activation Code and sending instructions via SMS or email.

For additional details, see the guide for configuring Duo for the RADIUS application.

Step 2 – Configure Your RADIUS Server to Proxy Authentication Requests from Microsoft AD to Duo for OTP Code

To set up your RADIUS server to proxy authentication requests from Microsoft AD:

  1. Launch a Windows EC2 instance in the same VPC as your Microsoft AD and ensure it is joined to the Active Directory.
  2. Log in to the new Windows EC2 instance and download the Duo Authentication Proxy for Windows.
  3. Install the Authentication Proxy, then edit the configuration file located at C:Program Files (x86)Duo Security Authentication Proxyconfauthproxy.cfg, replacing its contents with:
[duo_only_client]
[radius_server_auto]
ikey=XXX
skey=YYY
api_host=api-ZZZ.duosecurity.com
radius_ip_1=<AD-DNS-address#1>
radius_secret_1=<My-password>
radius_ip_2=<AD-DNS-address#2>
radius_secret_2=<My-password>
failmode=safe
client=duo_only_client
port=1812

Note: For the values of “ikey,” “skey,” and “api_host,” log into your Duo account and navigate to Dashboard > Applications > RADIUS.

Also, obtain your Microsoft AD domain controller (DC) IP addresses from the AWS Management Console, under Directory Service, and ensure your RADIUS server can communicate with these IP addresses.

  1. Adjust the security group settings for your Microsoft Active Directory to allow inbound traffic from the RADIUS server. Ensure that the Duo Authentication Service is running, and restart if necessary after any configuration changes.

Step 3 – Configure AWS Managed Microsoft AD to Enable MFA

Finally, configure your Microsoft AD directory for MFA, requiring AWS Client VPN users to input an MFA code along with their username and password.

To enable MFA in Microsoft Active Directory:

  1. Open the AWS Management Console, select Directory Service, and choose your Directory ID.
  2. Under the Network and Security tab, select multi-factor authentication.
  3. Enter your RADIUS server details:
    • Display Label: A descriptive name for your RADIUS Server configuration.
    • RADIUS Server DNS name or IP Addresses: Enter your RADIUS server’s IP addresses or DNS name.
    • Port: Specify the port number set in Step 2.
    • Shared Secret Code: Enter the shared secret key you configured.

By completing these steps, MFA will be successfully enabled for AWS Client VPN users, providing an extra layer of security. For further insights and resources on employee development in tech, check out this expert article from SHRM, as it can offer valuable guidance.

For those interested in the hiring process at Amazon, this link contains excellent resources for interview preparation.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *