How can I use Okta with my AWS Managed Microsoft AD to provide multi-factor authentication for end users connecting to an AWS Client VPN endpoint?

Last updated: 2020-04-08

How can I use Okta with my AWS Managed Microsoft AD directory to provide multi-factor authentication (MFA) for end users connecting to an AWS Client VPN endpoint?

Short Description

AWS Client VPN supports the following types of end user authentication:

  • Mutual authentication
  • Active directory (AD) authentication
  • Dual authentication (Mutual + AD-based authentication)

The MFA service must be enabled on the AD (not directly on the Client VPN). Be sure that your AD type supports MFA. MFA functionality is supported by both new and existing Client VPNs.

To set up MFA for end users connecting to a Client VPN endpoint using Duo:

  • First, complete the IT administrator configuration tasks to set up the required services.
  • Then, have each end user complete the end user configuration tasks to establish their secure connection to the Client VPN endpoint.

Resolution

IT administrator configuration tasks:

Create and configure an AWS Managed Microsoft AD

1.    Create an AWS Managed Microsoft AD directory.

2.    Join a Windows EC2 instance to the AWS Managed Microsoft AD directory.

This instance is used to install services in the AD, and to manage users and groups in the AD. When launching the instance, be sure that the instance is associated with the AD. Also, be sure to add an IAM role with the "AmazonEC2RoleforSSM" policy attached.

3.    Install the AD services, and then configure the AD users and groups.

First, log in to (or use a Remote Desktop Connection to connect to) the instance that you created in step 2 using the following command. Be sure to replace <Your Admin password> with the Admin password that you created for the AD in step 1.

User name: Admin@ad_DNS_name
Password: <Your Admin password> 

Then, install the following services using PowerShell (in Admin mode):

install-windowsfeature rsat-ad-tools, rsat-ad-admincenter, gpmc, rsat-dns-server -confirm:$false

Next, create AD users and AD groups. Then, add your users to their appropriate AD groups.

Note: These AD users are the same end users who will connect to the Client VPN service. Thus, while creating users in the AD, be sure to provide both first and last names. Otherwise, Okta might not import users from the AD.

Finally, use the following command to get the SID for your AD groups. Be sure to replace <Your-AD-group-name> with your AD group name.

Get-ADGroup -Identity <Your-AD-group-name>

Note: You need the SID to authorize the AD users of this group when you configure the Client VPN authorization rules.

Install and configure Okta

1.    Sign up for an Okta account using your work email address. You'll receive an authorization email with the following details:

Okta organization name

Okta homepage URL

Username (Admin_email) 

Temporary Password

2.    Log in using your Okta homepage URL, and then change the temporary password.

3.    Install Okta Verify on the IT administrator's mobile device. Follow the in-app prompts to verify your identity.

4.    Launch another EC2 Windows instance. This instance is used to configure and manage the Okta Radius application. Be sure that the instance is associated with the AD, has the correct IAM role, and has internet access.

5.    Use Remote Desktop to connect to the instance. Then, log in to Okta (https:// <company_name>.okta.com) using your credentials from step 1.

6.    Choose Settings, and then choose Downloads. Then, download the Okta Radius Server Agents and AD Agent Installer on your instance.

To install the Okta RADIUS Server Agents:

  • Provide the RADIUS shared secret key and the RADIUS port. Be sure to note these values, because you'll use them later to enable MFA on your AD.
  • (Optional) Configure the RADIUS Agent proxy, if applicable.
  • To register this agent with your domain, enter the custom domain that you registered with Okta.
sub-domain: company_name 
(from https:// <company_name>.okta.com)

After authentication, you're prompted to allow access to the Okta RADIUS Agent. Choose Allow to complete the installation process.

To install the Okta AD Agent Installer:

  • Choose the domain that you plan to manage with this agent. Be sure to use the same domain as your AD's domain.
  • Select a user that's part of your AD (or create a new user). Be sure that this user is part of the Admin group within your AD. The Okta AD agent runs as this user.
  • After you enter the credentials, you're promoted to authenticate and proceed to install the AD agent.
  • (Optional) Configure the RADIUS Agent proxy, if applicable.
  • To register this agent with your domain, enter the custom domain that you registered with Okta.
sub-domain: company_name 
(from https:// <company_name>.okta.com)

7.    In the same Windows EC2 instance, choose Services. Then, verify that both Okta Radius Server Agents and AD Agent Installer are installed and are in the Running state.

Import AD users from your AD to Okta

Log in to your Okta account using your Okta homepage URL and credentials:

1.    From the top navigation bar in Okta, choose Directory, and then choose Directory Integrations.

2.    Select your AD, and then activate the directory. After it's activated, choose Import, Import Now, Full Import.

3.    Select the AD users and groups that you want to import from your AD to Okta.

4.    Choose Confirm Assignments, and then select Auto-activate users after confirmation.

5.    In your directory, verify the status of your imported users under People. Your users should all be in the Active state. If not, select each individual user and activate them manually.

Install the Radius application and assign it to your AD users

1.    On your Okta homepage, choose ApplicationsAdd Application. Search for Radius Application, and then choose Add.

2.    Under Sign-On Options:

  • Be sure that Okta performs primary authentication is NOT selected.
  • For UDP Port, choose the port that you selected during installation of the Okta Radius Server Agents.
  • For Secret Key, choose the key that you selected during installation of the Okta Radius Server Agents.

3.    For Application username format, choose AD SAM account name.

4.    Assign the Radius application to your AD users and groups:

  • Choose Assign.
  • Choose Assign to People or Assign to Groups (depending on your use case).
  • Select all of the names of the desired AD users or groups.
  • Choose Done.

Enable MFA for your users

1.    On your Okta homepage, choose SecurityMultifactorFactor Types.

2.    For Okta Verify, choose Okta Verify with Push.

3.    Choose Factor Enrollment, and then choose Add Rule.

4.    To assign this MFA rule to the Radius application, choose Applications, Radius Application, Sign On Policy, Add Rule.

5.    Under Conditions, confirm that the rule applies to Users assigned this app. For Actions, choose Prompt for factor.

Modify the security group configuration

1.    Log in to the AWS Management Console.

2.    Choose Security groups.

3.    Select the security group for the directory controllers.

4.    Edit the outbound rule for the security group of AD to allow UDP 1812 (or the Radius service port) for the destination IP (private IP) of your Radius Server. Or, you can allow all traffic, if your use case permits.

Enable MFA on your AWS Microsoft Managed AD

1.    Choose Directory Service, and then choose Directories.

2.    Select your directory.

3.    Under Networking & security, choose Multi-factor authentication. Then, choose ActionsEnable.

4.    Specify the following:

  • RADIUS server DNS name or IP addresses: Enter the private IP address of the EC2 Radius instance.
  • Port: Enter the port that you selected during installation of the Okta Radius Server Agents.
  • Shared secret code: Choose the key that you selected while installing the Okta Radius Server Agents.
  • Protocol: Choose PAP.
  • Server timeout: Set the desired value.
  • Max RADIUS request retries: Set the desired value.

Create the Client VPN endpoint

1.    After the AWS Microsoft Managed AD and MFA are set up, create the Client VPN endpoint using the AD for which MFA has been enabled.

2.    Download the new client configuration file and distribute it to your end users. Note: You can download the client configuration file from the AWS Management Console, the AWS CLI, or the API command.

3.    Confirm that the client configuration file includes the following parameters:

auth-user-pass
static-challenge "Enter MFA code " 1   

Note: If you're using dual authentication (for example, mutual authentication + AD-based authentication), also be sure to add the client <cert> and <key> to the configuration file.

End user configuration tasks:

1.    Make sure that the Okta Verify mobile application is installed on your mobile device.

2.    Log in to the Okta homepage using the following credentials:

OKTA homepage URL: https:// <company_name>.okta.com
Username: End user's AD name
Password: End user's AD password

3.    Follow the provided instructions to set up multi-factor authentication.

4.    Install the AWS Client VPN for Desktop tool.
Note: You can also connect to the Client VPN endpoint using any other standard OpenVPN-based client tool.

5.    Create a profile using the client configuration file provided by your IT administrator.

6.    To connect to the Client VPN endpoint, enter your AD user credentials when prompted. Then, enter the MFA code generated by your Okta Verify application.


Did this article help you?

Anything we could improve?


Need more help?