Application name: This may be optional in some RADIUS/MFA servers and usually identifies the application in messages or reports.MS-CHAPv2 is recommended because it provides the strongest security of the three options. Supported protocols are PAP, CHAP MS-CHAPv1, and MS-CHAPv2. Protocol: You might need to configure the authentication protocol between the Microsoft AD DCs and the RADIUS/MFA server.Shared secret: Type or generate a shared secret that will be used by the RADIUS/MFA server to connect with RADIUS clients.Port number: You might need to configure the port number of your RADIUS/MFA server on which your RADIUS/MFA server accepts RADIUS client connections.Address (DNS or IP): Type the DNS address of your Microsoft AD directory or the IP address of your Microsoft AD DC you obtained in Step 1.The following are the common parameters (your RADIUS/MFA server may vary): Create one RADIUS client configuration for each Microsoft AD DC.Open your RADIUS client configuration screen in your RADIUS/MFA solution.Otherwise, you must create one RADIUS client configuration for each Microsoft AD DC, using the DC IP addresses you obtained in Step 1: If your RADIUS/MFA server supports DNS addresses, you will need to create only one RADIUS client configuration.
The following steps show you how to configure your RADIUS/MFA server to accept requests from your Microsoft AD directory. Step 1 – Configure your RADIUS/MFA server to accept Microsoft AD requests
The right side (covered in Step 2 below) shows your Microsoft AD directory in the AWS Cloud connected to your on-premises AD via trust relationship, and the Amazon WorkSpaces joined to your Microsoft AD directory that will require the MFA code when you configure your environment by following Step 1 and Step 2. The left side in the diagram (covered in Step 1 below) represents your corporate data center with your on-premises AD connected to your RADIUS/MFA infrastructure that will provide the RADIUS user authentication. The following network diagram shows the components you must have running to enable RADIUS/MFA for Amazon WorkSpaces.
To learn more about how to set up Microsoft AD and create trust relationships to enable Amazon WorkSpaces users to use AD on-premises credentials, see Now Available: Simplified Configuration of Trust Relationship in the AWS Directory Service Console.
In this blog post, I show how to enable MFA for your Amazon WorkSpaces users in two steps: 1) Configure your RADIUS/MFA server to accept Microsoft AD requests, and 2) configure your Microsoft AD directory to enable MFA. For the purposes of this blog post, I will use “RADIUS/MFA” to refer to your on-premises RADIUS and MFA authentication solution. The RADIUS server connects to your on-premises AD to authenticate and authorize users. RADIUS is an industry-standard client/server protocol that provides authentication, authorization, and accounting management to enable users to connect network services. To enable MFA for AWS services such as Amazon WorkSpaces and QuickSight, a key requirement is an MFA solution that is a Remote Authentication Dial-In User Service (RADIUS) server or a plugin to a RADIUS server already implemented in your on-premises infrastructure. These factors together provide additional security by preventing access to AWS services, unless users supply a valid MFA code.
MFA adds an extra layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which has been provided by your virtual or hardware MFA solution. You can now enable multi-factor authentication (MFA) for users of AWS services such as Amazon WorkSpaces and Amazon QuickSight and their on-premises credentials by using your AWS Directory Service for Microsoft Active Directory directory, also known as AWS Microsoft AD.