How can I use Okta with my AWS Managed Microsoft AD to provide multi-factor authentication for end users connecting to an AWS Client VPN endpoint?

Last updated: 2020-11-11

How can I use Okta with my AWS Directory Service for Microsoft Active Directory to provide multi-factor authentication (MFA) for end users who are connecting to an AWS Client VPN endpoint?

Short description

AWS Client VPN supports the following types of end user authentication:

  • Mutual authentication
  • Microsoft Active Directory authentication
  • Dual authentication (Mutual + Microsoft Active Directory-based authentication)

The MFA service must be enabled on the AWS Managed Microsoft AD (not directly on the Client VPN). Be sure that your AWS Managed Microsoft AD type supports MFA. MFA functionality is supported by both new and existing Client VPNs.

To set up MFA for end users who are connecting to a Client VPN endpoint using Duo:

  1. Complete the IT administrator configuration tasks to set up the required services.
  2. Then, have each end user complete the end user configuration tasks to establish their secure connection to the Client VPN endpoint.

Resolution

Note: The following tasks must be completed by IT administrators, except for the last section which must be completed by end users.

Create and configure an AWS Managed Microsoft AD

1.    Create an AWS Managed Microsoft AD directory.

2.    Join a Windows EC2 instance to the AWS Managed Microsoft AD.

This instance is used to install services in the AWS Managed Microsoft AD and to manage users and groups in the AWS Managed Microsoft AD. When launching the instance, be sure that the instance is associated with the AWS Managed Microsoft AD. Also, be sure to add an AWS Identity and Access Management (IAM) role with the "AmazonSSMManagedInstanceCore" and "AmazonSSMDirectoryServiceAcces" policies attached.

3.    Install the AWS Managed Microsoft AD services. Then, configure the AWS Managed Microsoft AD users and groups.

First, log in to (or use a Remote Desktop Connection to connect to) the instance that you created in step 2 using the following command. Be sure to replace Your Admin password with the Admin password that you created in step 1.

User name: Admin@ad_DNS_name
Password: Your Admin password

Then, install the following services using PowerShell (in Admin mode):

install-windowsfeature rsat-ad-tools, rsat-ad-admincenter, gpmc, rsat-dns-server -confirm:$false

Next, create Microsoft AD users and Microsoft AD groups. Then, add your users to their appropriate Microsoft AD groups.

Note: These users are the same end users who will connect to the Client VPN service. While creating users in the AWS Managed Microsoft AD, be sure to provide both first and last names. Otherwise, Okta might not import users from the AWS Managed Microsoft AD.

Finally, use the following command to get the SID for your Microsoft AD groups. Be sure to replace Your-AD-group-name with your Microsoft AD group name.

Get-ADGroup -Identity <Your-AD-group-name>

Note: You need the SID to authorize the Microsoft AD users of this group when you configure the Client VPN authorization rules.

Install and configure Okta

1.    Sign up for an Okta account using your work email address. You'll receive an authorization email with the following details:

Okta organization name
Okta homepage URL
Username (Admin_email) 
Temporary Password

2.    Log in using your Okta homepage URL, and then change the temporary password.

3.    Install Okta Verify on the IT administrator's mobile device. Follow the in-app prompts to verify your identity.

4.    Launch another EC2 Windows instance. This instance is used to configure and manage the Okta Radius application. Be sure that the instance is associated with the AWS Managed Microsoft AD, has the correct IAM role, and has internet access.

5.    Use Remote Desktop to connect to the instance. Then, log in to Okta (https:// <company_name> .okta.com) using your credentials from step 1.

6.    Choose Settings, and then choose Downloads. Then, download the Okta Radius Server Agents and AD Agent Installer on your instance.

To install the Okta RADIUS Server Agents:

  • Provide the RADIUS shared secret key and the RADIUS port. Be sure to note these values, because you'll use them later to enable MFA on your AWS Managed Microsoft AD.
  • (Optional) Configure the RADIUS Agent proxy, if applicable.
  • To register this agent with your domain, enter the custom domain that you registered with Okta.
sub-domain: company_name 
(from https:// <company_name>.okta.com)
  • After authentication, you're prompted to allow access to the Okta RADIUS Agent. Choose Allow to complete the installation process.

To install the Okta AD Agent Installer:

  • Choose the domain that you plan to manage with this agent. Be sure to use the same domain as your Microsoft AD's domain.
  • Select a user who is part of your Microsoft AD (or create a new user). Be sure that this user is part of the Admin group within your Microsoft AD. The Okta Microsoft AD agent runs as this user.
  • After you enter the credentials, you're promoted to authenticate and proceed to install the Microsoft AD agent.
  • (Optional) Configure the RADIUS Agent proxy, if applicable.
  • To register this agent with your domain, enter the custom domain that you registered with Okta.
sub-domain: company_name 
(from https:// <company_name>.okta.com)

7.    In the same Windows EC2 instance, choose Services. Then, verify that both Okta Radius Server Agents and AD Agent Installer are installed and are in the Running state.

Import AD users from your AWS Managed Microsoft AD to Okta

1.    Log in to your Okta account using your Okta homepage URL and credentials:

2.    From the top navigation bar in Okta, choose Directory, and then choose Directory Integrations.

3.    Select your AWS Managed Microsoft AD, and then activate the directory. After it's activated, choose Import, Import Now, and then Full Import.

4.    Select the Microsoft AD users and groups that you want to import from your AWS Managed Microsoft AD to Okta.

5.    Choose Confirm Assignments, and then select Auto-activate users after confirmation.

6.    In your directory, verify the status of your imported users under People. Your users should all be in the Active state. If not, select each individual user and activate them manually.

Install the Radius application and assign it to your Microsoft AD users

1.    On your Okta homepage, choose Applications, Add Application. Search for Radius Application, and then choose Add.

2.    Under Sign-On Options, be sure that Okta performs primary authentication is not selected. For UDP Port, choose the port that you selected during installation of the Okta Radius Server Agents. For Secret Key, choose the key that you selected during installation of the Okta Radius Server Agents.

3.    For Application username format, choose AD SAM account name.

4.    Assign the Radius application to your Microsoft AD users and groups. Choose Assign. Then, choose Assign to People or Assign to Groups (depending on your use case). Select all of the names of the desired Microsoft AD users or groups. Choose Done.

Enable MFA for your users

1.    On your Okta homepage, choose Security, Multifactor, Factor Types.

2.    For Okta Verify, choose Okta Verify with Push.

3.    Choose Factor Enrollment, and then choose Add Rule.

4.    To assign this MFA rule to the Radius application, choose Applications, Radius Application, Sign On Policy, and Add Rule.

5.    Under Conditions, confirm that the rule applies to Users assigned this app. For Actions, choose Prompt for factor.

Modify the security group configuration

1.    Log in to the AWS Management Console.

2.    Choose Security groups.

3.    Select the security group for the directory controllers.

4.    Edit the outbound rule for the security group of the Microsoft AD to allow UDP 1812 (or the Radius service port) for the destination IP address (private IP address) of your Radius Server. Or, you can allow all traffic, if your use case permits.

Enable MFA on your AWS Microsoft Managed AD

1.    Open the AWS Directory Service console.

2.    Choose Directory Service, and then choose Directories.

2.    Select your directory.

3.    Under Networking & security, choose Multi-factor authentication. Then, choose Actions, Enable.

4.    Specify the following:

  • RADIUS server DNS name or IP addresses: Enter the private IP address of the EC2 Radius instance.
  • Display label: Enter a label name.
  • Port: Enter the port that you selected during installation of the Okta Radius Server Agents.
  • Shared secret code: Choose the key that you selected while installing the Okta Radius Server Agents.
  • Protocol: Choose PAP.
  • Server timeout: Set the desired value.
  • Max RADIUS request retries: Set the desired value.

Create the Client VPN endpoint

1.    After the AWS Microsoft Managed AD and MFA are set up, create the Client VPN endpoint using the Microsoft AD for which MFA has been enabled.

2.    Download the new client configuration file and distribute it to your end users.
Note: You can download the client configuration file from the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the API command.

3.    Confirm that the client configuration file includes the following parameters:

auth-user-pass
static-challenge "Enter MFA code " 1

Note: If you're using dual authentication (for example, mutual authentication + AD-based authentication), also be sure to add the client <cert> and <key> to the configuration file.

End user configuration tasks

1.    Make sure that the Okta Verify mobile application is installed on your mobile device.

2.    Log in to the Okta homepage using the following credentials:

OKTA homepage URL: https:// <company_name>.okta.com
Username: End user's AD name
Password: End user's AD password

3.    Follow the provided instructions to set up MFA.

4.    Install the AWS Client VPN for Desktop tool.
Note: You can also connect to the Client VPN endpoint using any other standard OpenVPN-based client tool.

5.    Create a profile using the client configuration file provided by your IT administrator.

6.    To connect to the Client VPN endpoint, enter your Microsoft AD user credentials when prompted. Then, enter the MFA code generated by your Okta Verify application.


Did this article help?


Do you need billing or technical support?