reference deployment

FreeRADIUS MFA with Amazon WorkSpaces

Add multi-factor authentication (MFA) to Amazon WorkSpaces.

View deployment guide

This solution deploys FreeRADIUS for Amazon WorkSpaces to the Amazon Web Services (AWS) Cloud. FreeRADIUS is an open source remote authentication dial-in user service (RADIUS) server. FreeRADIUS adds MFA for Amazon WorkSpaces by configuring a RADIUS server to authenticate one-time passwords.

AWS logo

This solution was developed by AWS.

  •  What you'll build

  • This solution sets up the following:

    Scenario 1: Deploy FreeRADIUS MFA with Amazon WorkSpaces and self-managed Active Directory

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets, according to AWS best practices, to provide you with your own virtual network on AWS.*
    • In the public subnets:
      • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
      • Remote Desktop Gateway (RD Gateway) instances in an Auto Scaling group to help secure remote access to instances in private subnets.*
    • In the private subnets:
      • An Application Load Balancer to allow inbound Secure Shell (SSH) access to Amazon Elastic Compute Cloud (Amazon EC2) instances in private subnets.
      • A Windows Server forest and AWS Managed Microsoft Active Directory (AD) domain controller in each Availability Zone, including a security group and rules for traffic between instances.
      • RADIUS servers installed to Amazon EC2 instances in an Auto Scaling group.
      • Amazon Aurora for a LinOTP database.
      • WorkSpaces for a specified domain user. These users are created in Scenarios 1 and 2.
      • AD Connector configured with the Active Directory Domain Services (AD DS) DNS IP addresses that connects to WorkSpaces.
    • AWS Key Management Service (AWS KMS) to encrypt WorkSpaces root and user volumes and RADIUS server volumes.
    • AWS Secrets Manager to store passwords.
    • AWS Systems Manager for automation documents to do the following:
      • Install and configure Active Directory Domain Services (AD DS) (not shown), Active Directory DNS integration (not shown), AD Connector, and RADIUS server.
      • Enable MFA on AWS Directory Service for Microsoft Active Directory.
    • Amazon EventBridge to invoke Systems Manager for automation documents that configures integration when the RADIUS server auto scaling activity occurs.
    • AWS Lambda to invoke Systems Manager for automation documents.

    For additional Scenarios, refer to the deployment guide.

    * The template that deploys this into an existing VPC skips the components marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy

  • To deploy this solution, follow instructions in the deployment guide, which includes these steps.

    1. Sign in to your AWS account. If you don't have an AWS account, sign up at https://aws.amazon.com.
    2. Launch the AWS Solution. The stack takes about 130 minutes to deploy. Before you create the stack, choose the AWS Region from the top toolbar. Choose one of the following options:
    3. Test the deployment.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

    View deployment guide for details
  •  Costs and licenses

  • You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?