As customers move more and more to the cloud, many customers are leveraging AWS Workspaces as a Desktop as a Service Solution (DaaS) to provide end users access to corporate resources at any time from any where. Given Workspaces are available to anyone, from anywhere, a key consideration to moving to AWS Workspaces, is of course Security.
AWS Workspaces can be configured to require Multi-Factor Authentication (MFA) to add a layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which can be provided by a virtual or hardware MFA solution.
There are two ways to do this.
Option 1) Use Centrify Endpoint Services. @Robertson in this article covered how to use the Centrify agent to enforce strong workspace level security with Centrify's Endpoint Services solution to deliver:
- Access control using Centrify next generation Zone technology
- Strong Authentication with MFA at login, screen lockout or remote desktop
- Privilege Elevation for application or administrative desktop
This is the most secure option.
Option 2) Use Centrify's MFA service with AWS Radius support to require MFA before accessing AWS Workspaces
In this howto we will focus on option 2.
I want to thank @thesilverfox and @pmudd from two great Centrify customers for validating this howto and implementing the Centrify MFA service to secure their AWS Workspaces.
Let's review the high-level architecture of the solution and the components involved to enable MFA via Radius to AWS Workspaces:
- Centrify Identity Platform - Can be subscribed to in the cloud or be customer deployed, delivers the core security services like AD/LDAP authentication, PKI, shared account password management and MFA
- Centrify Connector - For this howto, brokers Radius authentication requests from clients (AWS Workspaces) to the Centrify Identity Platform for valdiation. Connectors act as RADIUS servers to RADIUS client (AWS in this case)
- AWS Workspaces - Will require an MFA code to be entered when accessing the workspaces. The AWS Radius service needs to communicate to a Centrify connector to fulfill the MFA request.
- The connector could be in AWS or on prem if a direct connect connection exists. For example, when working with @thesilverfox, they had already deployed 2 Centrify Connectors on prem (for SSO to AWS web console, MFA to web apps and the AWS CLI) and had a direct connect between AWS and their corporate network. Therefore, they simply used the existing connectors for RADIUS MFA to the AWS Workspaces.
Step 1: Create a Policy to allow Radius Authentication
Logon to the Centrify Identity Platform's Admin Portal, click on Policies and click Add Policy Set.
Give the policy a name (i.e. AWS Workspace RADIUS) and select the users and roles the policy should apply to (users allowed to authenticate via RADIUS). This will grant these users the ability to authenticate to the Centrify Identity Platform via Radius.
Under "User Security Policies" --> Radius, select Yes under "Allow RADIUS client connections" and click on "Require Authentication Challenge". In the dropdown menu, select "Add New Profile". The Authentication Profile will configure the MFA options allowed for RADIUS authentication.
Name the Authentication Profile something appropriate (i.e. AWS Workspace RADIUS). We will setup MFA to send push notifications to enrolled devices to simply the user experience. For Challenge 1, choose the Password and for Challenge 2, choose Mobile Authenticator as shown below:
Step 2: Enable the Centrify Connectors for RADIUS
By default, the Centrify Connectors, which are the RADIUS servers, do not accept RADIUS authentication requests. To configure the connectors to accept RADIUS authentication requests, visit the Centrify Admin Portal, go to Settings --> Network --> "Centrify Connectors". Right click on the connector(s) to enable RADIUS on and select Modify, then click RADIUS. Check the "Enable incoming RADIUS connections" and specify the port to use for RADIUS and click Save.
Step 3: Configure RADIUS Client Settings
By default, Centrify will deny RADIUS requests from unknown clients. Before a client (AWS in this case), can successfully make a RADIUS call to Centrify, the client needs to be configured first.
In the Admin Portal, go to Settings --> Authentication --> Radius. Under Clients, click Add.
Next, configure the Radius client by providing a Name, Description, IP or Hostname of the client and a client secret. For the client, enter the IP address based on your AWS configuration. In our environment, we have a managed AWS AD and therefore used the IP addresses of the AWS AD Domain Controllers which are the clients making the Radius calls in this scenario. In the case of the @thesilverfox, their Centrify connectors were on premise and a direct connect from their VPC to their on prem environment was available. Therefore, the clients in this case were the IPs of their Virtual private gateway that route traffic from AWS to their on prem network.
To enable push notification, make sure that under Response, the Mobile Authenticator option is set to Push as shown below.
Step 4: Configure AWS Workspaces for Authentication
The next step is to configure AWS for Multi-Factor Authentication. In AWS, visit the Directory Service service and under Multi-Factor authentication, configure the Radius Server configuration. The Radius Server IPs are the IP addresses of the Centrify Connectors. In our environment we have deployed Centrify connectors in AWS, therefore we enter the IPs of those connectors. In the case of the @thesilverfox, we entered the IPs of their on premise deployed connectors. Enter the port configured in step 2 and shared secret configured in step 3 and click Update directory.
At this point the AWS RADIUS client will validate it can communicate with the RADIUS server. To assure success, please make sure that the Windows firewall of the connectors allows UDP on the port configured in step 2 (i.e. 1812) and the AWS configuration allows outbound connectivity to the Centrify connectors on the UDP port in step 2. For example, in our environment we had to modify the Windows firewall of the windows systems the connectors are installed on to accept Inbound UDP on the RADIUS port and modify the outbound rules of the Domain Controller security group to allow outbound UDP to the Radius port (i.e 1812) on the connectors.
If the configuration is successful, the RADIUS Status will change to Completed.
Step 5: Validate AWS Workspace MFA
To validate MFA for AWS workspaces, we will enroll a device with the Centrify Identity Platform by downloading the Centrify app from the device's store (Google Play, Apple Store, etc.) . The enrollment activates the mobile authenticator for push notifications.
We now open the AWS Workspace application and since MFA is enabled, a username, password and MFA code are required to connect. For the MFA code, enter the password again and click Sign In.
At this point, a push notification to the user's mobile device will be sent and when approved, the AWS Workspace will launch successfully.
There you have it. MFA to AWS Workspaces using the MFA service with push notifications provided by the Centrify Identity Platform.
We hope you find this blog insightful. As always, any questions or feedback, please leave us comment.
VP - Enterprise Solutions
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.