[Howto] - Enforcing Multi-Factor Authentication (MFA) on AWS Workspaces with Centrify

[Howto] - Enforcing Multi-Factor Authentication (MFA) on AWS Workspaces with Centrify

By Centrify Guru I ‎05-02-2018 05:12 PM

As customers move more and more to the cloud, many customers are leveraging AWS Workspaces as a Desktop as a Service Solution (DaaS) to provide end users access to corporate resources at any time from any where.  Given Workspaces are available to anyone, from anywhere, a key consideration to moving to AWS Workspaces, is of course Security. 


AWS Workspaces can be configured to require Multi-Factor Authentication (MFA) to add a layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which can be provided by a virtual or hardware MFA solution.


There are two ways to do this.  


Option 1) Use Centrify Endpoint Services.  @Robertson in this article covered how to use the Centrify agent to enforce strong workspace level security with Centrify's Endpoint Services solution to deliver:

  • Access control using Centrify next generation Zone technology
  • Strong Authentication with MFA at login, screen lockout or remote desktop
  • Privilege Elevation for application or administrative desktop

This is the most secure option.


Option 2) Use Centrify's MFA service with AWS Radius support to require MFA before accessing AWS Workspaces


In this howto we will focus on option 2.  


I want to thank @thesilverfox and @pmudd from two great Centrify customers for validating this howto and implementing the Centrify MFA service to secure their AWS Workspaces.  


Let's review the high-level architecture of the solution and the components involved to enable MFA via Radius to AWS Workspaces:

Screen Shot 2018-04-20 at 11.54.32 AM.png

  • Centrify Identity Platform - Can be subscribed to in the cloud or be customer deployed, delivers the core security services like AD/LDAP authentication, PKI, shared account password management and MFA
  • Centrify Connector - For this howto, brokers Radius authentication requests from clients (AWS Workspaces) to the Centrify Identity Platform for valdiation.  Connectors act as RADIUS servers to RADIUS client (AWS in this case)
  • AWS Workspaces - Will require an MFA code to be entered when accessing the workspaces.  The AWS Radius service needs to communicate to a Centrify connector to fulfill the MFA request. 
    • The connector could be in AWS or on prem if a direct connect connection exists.  For example, when working with @thesilverfox, they had already deployed 2 Centrify Connectors on prem (for SSO to AWS web console, MFA to web apps and the AWS CLI) and had a direct connect between AWS and their corporate network.  Therefore, they simply used the existing connectors for RADIUS MFA to the AWS Workspaces.


Step 1: Create a Policy to allow Radius Authentication 


Logon to the Centrify Identity Platform's Admin Portal, click on Policies and click Add Policy Set.


Screen Shot 2018-04-20 at 12.09.45 PM.png


Give the policy a name (i.e. AWS Workspace RADIUS) and select the users and roles the policy should apply to (users allowed to authenticate via RADIUS).  This will grant these users the ability to authenticate to the Centrify Identity Platform via Radius.


Screen Shot 2018-04-20 at 12.36.54 PM.png

Under "User Security Policies" --> Radius, select Yes under "Allow RADIUS client connections" and click on "Require Authentication Challenge".  In the dropdown menu, select "Add New Profile".   The Authentication Profile will configure the MFA options allowed for RADIUS authentication.


Screen Shot 2018-04-20 at 12.35.08 PM.png


Name the Authentication Profile something appropriate (i.e. AWS Workspace RADIUS).  We will setup MFA to send push notifications to enrolled devices to simply the user experience.  For Challenge 1, choose the Password and for Challenge 2, choose Mobile Authenticator as shown below:

Screen Shot 2018-05-25 at 10.39.54 AM.png

Step 2: Enable the Centrify Connectors for RADIUS


By default, the Centrify Connectors, which are the RADIUS servers, do not accept RADIUS authentication requests.  To configure the connectors to accept RADIUS authentication requests, visit the Centrify Admin Portal, go to Settings --> Network --> "Centrify Connectors".  Right click on the connector(s) to enable RADIUS on and select Modify, then click RADIUS.  Check the "Enable incoming RADIUS connections" and specify the port to use for RADIUS and click Save.



Screen Shot 2018-04-20 at 3.09.50 PM.png


Screen Shot 2018-04-20 at 3.10.38 PM.png



Step 3: Configure RADIUS Client Settings


By default, Centrify will deny RADIUS requests from unknown clients.  Before a client (AWS in this case), can successfully make a RADIUS call to Centrify, the client needs to be configured first.


In the Admin Portal, go to Settings --> Authentication --> Radius.  Under Clients, click Add.


Screen Shot 2018-05-02 at 8.18.00 AM.png



Next, configure the Radius client by providing a Name, Description, IP or Hostname of the client and a client secret.  For the client, enter the IP address based on your AWS configuration. In our environment, we have a managed AWS AD and therefore used the IP addresses of the AWS AD Domain Controllers which are the clients making the Radius calls in this scenario.  In the case of the @thesilverfox, their Centrify connectors were on premise and a direct connect from their VPC to their on prem environment was available.  Therefore, the clients in this case were the IPs of their Virtual private gateway that route traffic from AWS to their on prem network. 


Screen Shot 2018-05-02 at 8.23.05 AM.png




To enable push notification, make sure that under Response, the Mobile Authenticator option is set to Push as shown below.


Screen Shot 2018-05-25 at 10.45.08 AM.png



 Step 4: Configure AWS Workspaces for Authentication


The next step is to configure AWS for Multi-Factor Authentication.  In AWS, visit the Directory Service service and under Multi-Factor authentication, configure the Radius Server configuration.  The Radius Server IPs are the IP addresses of the Centrify Connectors.  In our environment we have deployed Centrify connectors in AWS, therefore we enter the IPs of those connectors.  In the case of the @thesilverfox, we entered the IPs of their on premise deployed connectors.  Enter the port configured in step 2 and shared secret configured in step 3 and click Update directory.


Screen Shot 2018-05-02 at 7.12.15 PM.png


At this point the AWS RADIUS client will validate it can communicate with the RADIUS server.  To assure success, please make sure that the Windows firewall of the connectors allows UDP on the port configured in step 2 (i.e. 1812) and the AWS configuration allows outbound connectivity to the Centrify connectors on the UDP port in step 2.  For example, in our environment we had to modify the Windows firewall of the windows systems the connectors are installed on to accept Inbound UDP on the RADIUS port and modify the outbound rules of the Domain Controller security group to allow outbound UDP to the Radius port (i.e 1812) on the connectors.


If the configuration is successful, the RADIUS Status will change to Completed.

Screen Shot 2018-05-02 at 7.21.33 PM.png

Step 5: Validate AWS Workspace MFA


To validate MFA for AWS workspaces, we will enroll a device with the Centrify Identity Platform by downloading the Centrify app from the device's store (Google Play, Apple Store, etc.) .  The enrollment activates the mobile authenticator for push notifications. 




We now open the AWS Workspace application and since MFA is enabled, a username, password and MFA code are required to connect.  For the MFA code, enter the password again and click Sign In.

 Screen Shot 2018-05-25 at 10.52.01 AM.png




At this point, a push notification to the user's mobile device will be sent and when approved, the AWS Workspace will launch successfully.








Screen Shot 2018-05-02 at 7.40.12 PM.png


There you have it.  MFA to AWS Workspaces using the MFA service with push notifications provided by the Centrify Identity Platform.


We hope you find this blog insightful.  As always, any questions or feedback, please leave us comment.




Felderi Santiago

VP - Enterprise Solutions

Centrify Corporation


Showing results for 
Search instead for 
Do you mean 

Community Control Panel