Why is MFA failing on my AWS Managed Microsoft AD directory or my AD Connector?

Last updated: 2021-06-29

I've enabled multi-factor authentication (MFA) on my AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) directory or AD Connector. However, MFA is failing. How can I troubleshoot this?

Resolution

The security group associated with your AWS Managed Microsoft AD or AD Connector must have a rule that allows outbound traffic on port UDP 1812 to the security group associated with your RADIUS server.

Note: If you're using a custom UDP port for MFA authentication, then allow the custom UDP port traffic under the following:

  • Outbound rules on the security group associated with your AWS Managed Microsoft AD or AD Connector.
  • Inbound rules on the Security group associated with your RADIUS server.

Verify that port UDP 1812 or your custom UDP port for MFA is allowed under outbound traffic on the AWS Managed Microsoft AD or AD Connector security group

  1. To find the security group associated with your DNS servers, open the AWS Directory Service console, and note the IP addresses under DNS address.
  2. Open the Amazon Elastic Compute Cloud (Amazon EC2) console, and then choose Network Interfaces.
  3. In the search field, enter one of the DNS IP addresses found in step 1 and select the checkbox for that interface.
  4. Under Details, select the security group listed in Security Groups.
  5. Select View outbound rules. Verify that there is a rule allowing outbound traffic on port UPD 1812 for UDP, or your custom UDP port for MFA, to the IP address space or security group associated with your RADIUS EC2 instances.

Verify that the secret key for directory services is the same key configured on the RADIUS server

The RADIUS client and server must use the same shared password or key. Check the RADIUS server logs for further information. The method for checking Radius logs depends on your configuration. Review the documentation for your configuration for instructions on accessing the logs.