xuhao (Customer) to rsaSFDCadmin (RSA): asked a question.
RSA Radius MFA with AWS Workspace
I am trying to enable AWS Workspace MFA using SecurID Authentication Manager
built-in RADIUS server following this guide:
<https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-
authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-
ad-and-on-premises-credentials/> . The AWS AD addresses were added in RSA SC
as RADIUS client with the shared secret, then MFA was enabled on AWS Managed
AD with the RSA RADIUS server information. AWS report the status of MFA RADIUS
as 'completed', and my Workspace login window has field 'MFA Code' added under
the regular username and password fields. When trying to login with the
correct username, password, and token code from my phone SecurID Authenticator
app, it gave me the error "Authentication Failed" from WorkSpaces client.
The same set of username/password/SecurID token work fine when I tried to
login a Windows EC2 that has the Windows agent installed. Any suggestion on
what's the cause of authentication failure with RADIUS and how to
troubleshoot/resolve it?
built-in RADIUS server following this guide:
<https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-
authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-
ad-and-on-premises-credentials/> . The AWS AD addresses were added in RSA SC
as RADIUS client with the shared secret, then MFA was enabled on AWS Managed
AD with the RSA RADIUS server information. AWS report the status of MFA RADIUS
as 'completed', and my Workspace login window has field 'MFA Code' added under
the regular username and password fields. When trying to login with the
correct username, password, and token code from my phone SecurID Authenticator
app, it gave me the error "Authentication Failed" from WorkSpaces client.
The same set of username/password/SecurID token work fine when I tried to
login a Windows EC2 that has the Windows agent installed. Any suggestion on
what's the cause of authentication failure with RADIUS and how to
troubleshoot/resolve it?
Client will send an Authentication Request to UDP port 1812 or UDP port 1645.
If this packet gets to the Auth Manager Server, there will be an entry in the
RADIUS 'date' log file in Linux, /opt/rsa/am/radius/20221221.log for Dec. 21,
2022.
If there is a RADIUS Client entry for the source IP address, the RSA RADIUS
Server (Free RADIUS in later versions of AM, SBR RADIUS is earlier versions of
AM) will hand this Authentication Request to Authentication Manager, which you
can see in the Security Console, either as a Real Time Monitor Authentication
Activity or in an Authentication Activity Report.
Depending on what you see in these logs, you can determine what is happening
with the Authentication Request from AWS.