How can I use Duo with my AWS Managed Microsoft AD to provide multi-factor authentication for end users that connect to a Client VPN endpoint?

7 minute read

I want to use Duo with my AWS Directory Service for Microsoft Active Directory. I want to provide multi-factor authentication (MFA) for end users that connect to an AWS Client VPN endpoint.

Short Description

Client VPN supports the following types of end user authentication:

  • Mutual authentication
  • Active Directory authentication
  • Dual authentication (Mutual and Active Directory authentication)

The latest versions of Duo leverage push notifications that are sent to end users as a two-factor authentication. Legacy Duo implementations require end users to use the Duo mobile app to generate a multi-factor authentication (MFA) code. You then use this code with Client VPN.

You must turn on the MFA service on the Active Directory, but not directly on the Client VPN.

Note: Your Active Directory type must support MFA. Both new and existing Client VPNs support MFA functionality.


Create and configure an AWS Managed Microsoft AD

  1. Create an AWS Managed Microsoft AD directory.

  2. Join an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance to the AWS Managed Microsoft AD directory. This instance installs services and manages users and groups in the Active Directory. The instance must be associated with the Active Directory. You must add an AWS Identity and Access Management (IAM) role with the "AmazonEC2RoleforSSM" policy attached.

  3. Run the following command to log in to the Amazon EC2 instance.

    Username: Admin@ad_DNS_name
    Password: <Your Admin password>

    Note: Replace Your Admin password with the Admin password that you create for the Active Directory.

  4. In Admin mode, use PowerShell to install the following services:

    install-windowsfeature rsat-ad-tools, rsat-ad-admincenter, gpmc, rsat-dns-server -confirm:$false
  5. Create Active Directory users and Active Directory groups, and then add these users to their appropriate Active Directory groups.
    Note: These Active Directory users are the same end users who'll connect to the Client VPN Endpoint.

  6. Run the following command to retrieve the SID for your Active Directory groups. Replace Your-AD-group-name with your Active Directory group name.

    Get-ADGroup -Identity <Your-AD-group-name>

Note: You need the SID to authorize the Active Directory users of this group when you configure the Client VPN authorization rules.

Install and configure Duo

  1. Sign up (Duo website) for or log in to Duo.
  2. Install the Duo application on your mobile device. Follow the instructions to authenticate your Duo account.
  3. In your Duo web account, choose Applications from the navigation pane on the left.
  4. In the search field, enter RADIUS and choose Protect.
  5. In the navigation pane, choose Users, and then choose Add User. For Username, enter the names of your end users. The names must match with the Active Directory user's names. The names must also match the username that your end users authenticate their connection to the Client VPN endpoint with
  6. Select each individual user, and then add their phone numbers. End users receive their MFA codes through the number that you enter here.
  7. For reach user, choose Activate Duo Mobile, and then choose Generate Duo Mobile Activation Code. There are two methods available to notify users of their activation link. You can choose Send Instructions by SMS to email the activation link to each end user. Or, you can choose Skip this step. Then, copy the activation links for each end user and send the links to each user manually.
  8. Launch an EC2 Windows instance. Use this instance to configure and manage the Duo Radius application. The instance must be associated with Active Directory. The instance must also have the correct IAM role and internet access. Verify the security groups, network access control list, and route table of the instance
  9. Log in to the EC2 instance that manages the Duo Radius application. Then, install the Authentication Proxy for Windows (Duo website).
  10. Navigate to the "authproxy.cfg" config file at C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy.cfg.
  11. Edit the configuration file. The following is an example of what the file can look like:

To find the values for ikey (integration key), skey (secret key), and api_host (your Duo's API hostname), complete the following steps:

  • Log in to your Duo web account on the Duo website.
  • Choose Dashboard, Applications, Radius.
  • Refer to the values under Details.

To find the values for radius_ip_1 and radius_ip_2, complete the following steps:

  • Log in to the AWS Management Console.
  • Choose Directory Service, and then choose Directories.
  • Select your Active Directory.
  • Under Details, see address_ip#1 and address_ip#2 in the DNS address section.
    Note: If you use AWS AD_connector, then address_ip#1 and address_ip#2 are the IPs of your AD_connector.

Optionally, complete the following steps:

  • Set your radius_secret_key.
  • Change the port.

Modify the security group configuration

  1. Log in to the AWS Management Console.
  2. Choose Security groups.
  3. Select the security group for the directory controllers.
  4. Edit the outbound rule for the security group of the Active Directory. Have the rule allow UDP 1812 (or the Radius service port) for the destination IP address (private IP) of your Radius Server. Or, allow all traffic if your use case allows it.

Confirm that the Duo authentication service is running

  1. Log in to the Radius EC2 Windows instance.
  2. Under Services, find the Duo Security Authentication Proxy Service. If the service isn't in the Running state, then choose Start the service.

Turn on MFA on your AWS Managed Microsoft AD

  1. Log in to the AWS Management Console.
  2. Choose Directory Service, and then choose Directories.
  3. Select your Active Directory.
  4. Under Networking & security, choose Multi-factor authentication. Then, choose Actions, and then choose Enable.
  5. Enter the following information:
    For RADIUS server DNS name or IP addresses, enter the private IP address of the EC2 Windows instance.
    For Port, enter the port that's specified in your "authproxy.cfg" file.
    For Shared secret code, enter the radius_secret_key value from your "authproxy.cfg" file.
    For Protocol, choose PAP.
    For Server timeout, enter a value.
    For Max RADIUS request retries, enter a value.

Create the Client VPN endpoint

  1. After the AWS Managed Microsoft AD and MFA are set up, create the Client VPN endpoint. Use the Active Directory that the MFA is turned on for.
  2. Download the new client configuration file and distribute it to your end users.
    Note: You can download the client configuration file from the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the API command.
  3. Confirm that the client configuration file includes the following parameters:
static-challenge "Enter MFA code " 1

Note: If you use dual authentication (for example, Mutual + Active Directory authentication), then add the client <cert> and <key> to the configuration file.

Configure the end user devices

  1. On the end user device, follow the activation link to install the Duo application on your mobile device.
  2. Install the Client VPN for Desktop tool.
    Note: You can also use any standard OpenVPN-based client tool to connect to the Client VPN endpoint.
  3. Use the client configuration file to create a profile.
  4. Connect to the Client VPN endpoint that's correct for your Duo version:

Legacy Duo versions
Enter your Active Directory user credentials. Then, enter the MFA code the Duo application generates in to the Client VPN. Duo validates this MFA code.
Note: Depending on the Client VPN version and the operating system you use, this field can be Response instead of Enter MFA code.

Modern Duo versions
Enter your Active Directory user credentials. The Client VPN MFA field isn't taken into account for the second-factor authentication by Duo. In this case, Duo relies on a mobile notification push as a second factor of authentication. 
Note: Fill the Client VPN MFA field with random characters. This keeps the authentication from failing for having a blank field.

AWS OFFICIALUpdated a year ago