Site icon TOSS

AWS Client VPN configuring the DUO’s MFA

Most of the time we use OpenVPN and their license for VPN with MFA(Multi-Factor Authentication), which will increase an cost of additional EC2 and OpenVPN license. So this will help you to use AWS Client VPN which is very less cost and Configuring DUO’s for MFA.

Follow the below simple steps to Configure the same. If you have stuck in any step let us know in the comments we will help you.

Step 1 : On DUO’s Admin page

Login to DUO’s admin > go to Application > Click on Protect an application

Select Radius

It will create a Radius Application, name it as per your requirements

Step 2: On AWS Console

Make sure you have configured the Directory services in your AWS account, and you have one EC2 Instance to access it through GUI (Active Directory User and Computer)

On that EC2 download the DUO Security Authentication Proxy from below link. And install the same.

https://dl.duosecurity.com/duoauthproxy-latest.exe

Click on Next

Make sure the Open Authentication Proxy Configuration file is checked.

Once you click on finish it will opens the Configuration file which will looks like the below.

Replace them with the below content.

[duo_only_client]

[radius_server_auto]

ikey=XXX

skey=YYY

api_host=api-ZZZ.duosecurity.com

radius_ip_1=<AD-DNS-address#1>

radius_secret_1=<My-password>

radius_ip_2=<AD-DNS-address#2>

radius_secret_2=<My-password>

failmode=safe

client=duo_only_client

port=1812

The Below 3 things you will get from the DUO Application, which we have created in the start named as Radius. In Step 1

radius_ip_1 and 2 will get in the Directory Service which is under the DNS address.

radius_secret_1 and 2 will be the admin password of the Directory Service. If you have forgot it you can reset it in the Directory Service screen.

Once all the changes are done, go to the service and make sure DuoAuthProxy(Duo Security Authentication Proxy Service) is running(most of the time it will be in stop state).

Step 3: On AWS Directory Service

Go to Directory Service, in the bottom you will find Multi-Factor Authentication > Click on Actions > Click on Enable

You will get the below screen, fill all the details as mentioned below.

Make sure the security group is open for 1812 UDP port from the EC2 where you installed the DUO’s Proxy and the directory service.

Once it’s done it will takes approx. 2 minutes to get it up.

Step 4 : On Client VPN Endpoints

Now finally we will be Creating the Client VPN Endpoint Go to VPC > Create Client VPN Endpoint

Fill all the details which are required as per your configuration.

Name Tag:  Name of the Client VPN Endpoint

Description: A brief description of the Client VPN endpoint

Client IPV4 CIDR*: The IP address range, in CIDR notation, from which client IP addresses are allocated.

Server Certificate ARN*: The ARN of the server certificate. The server certificate must be provisioned in AWS Certificate Manager (ACM).

Authentication Options: Here select Use user-based authentication > Select Active Directory authentication.

                Directory ID*: Select the Directory service where we have configured MFA.

Remain options based on your requirements you can select and deselect them.  > Click on Create Client VPN Endpoint

Once Endpoint is created, create the Associate. Add the subnet which is required.

Apply the Security group which will be having an access to RDP or SSH to your EC2 Instances

Add the Authorization rule: In this we will be having all the IP address list which we can connect from the VPN.

Make sure all the routing tables are configured as per requirements. Based on the Subnet you have Associated with it will takes the default Route. You can add the manual routing also.

Once all is done Click on Download Client Configuration. Use that configuration in the AWS Client VPN

Install AWS VPN Client. Click on File > Manage Profiles > Add Profile > Give the Display name and the VPN Configuration File which is downloaded for the AWS.

Provide your Directory Service Username and password > Make sure it should be added in the DUO’s also

I hope this has helped you in “AWS Client VPN configuring the DUO’s MFA“. Share with your friends and coluges.

You can also refer other blogs on AWS

And also if you required any technology you want to learn, let us know below in the comments, we will publish them in our site http://tossolution.com/

Like our page in Facebook and follow us for New technical information.

References are taken from AWS, DUO’s

Exit mobile version