0

I'm trying to set up multi-factor authentication for AWS WorkSpaces using AD and OATH TOTP (e.g. Google Authenticator). In the AWS AD Connector config you can set up the RADIUS server's IP, port and shared code. If I understand correctly the RADIUS server is what would then connect to Google Authenticator or any other provider and those details are abstracted away behind RADIUS.

Is it possible to connect NPS to an OATH TOTP provider or do you require another RADIUS server? Did I misunderstand how this works and the provider would have additional software to install? I've searched online but haven't found a very clear answer.

Nelson Rothermel
  • 523
  • 1
  • 5
  • 9

1 Answers1

1

Looking around a bit I think you might want to approach this a bit differently. Let Amazon services do the OTP heavy lifting and only reach back to your AD for that small part of things.

Method seems to be first set up Amazon Directory Services to use your AD: http://docs.aws.amazon.com/directoryservice/latest/ad-connector/what_is.html

Enable/configure multi-factor authentication on that: http://docs.aws.amazon.com/directoryservice/latest/ad-connector/connect_mfa.html

Then come back and point your Amazon Workspaces at the Amazon Directory Services instance you just set up: http://docs.aws.amazon.com/workspaces/latest/adminguide/registration.html

I've done none of this, but on paper this looks like it might be easier than what you're contemplating, instead.

Mary
  • 565
  • 5
  • 10
  • We are currently using simple AD but would have to change to AD Connector. I've done this before so this part's easy. In your second link when you enable MFA you have to specify the RADIUS server IP(s). This is the part I'm having trouble with. It's possible that WorkSpaces client uses AD Connector for the AD authentication and RADIUS is used only for the second factor. Let's assume that's the case; how do I configure Windows NPS to use virtual MFA such as OATH TOTP? Do I need a 3rd party, do I need to go Linux, etc.? If I can answer this last part I think I can figure out the rest. – Nelson Rothermel Sep 24 '15 at 12:59