Enable MFA for AWS managed AD using FreeRADIUS with google-authenticator

MFA adds an extra layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which has been provided by your virtual or hardware MFA solution. To enable MFA for AWS managed AD we need RADIUS server. RADIUS is an IETF standard client/server protocol that provides authentication, authorization, and accounting. We are using open source tool FreeRADIUS with google authenticator.

How to setup freeradius server with google authenticator?

1. Install FreeRADIUS

yum install freeradius freeradius-utils

After installing FreeRADIUS we need to make some changes to freeradius config to use google-authenticator

2. Change authentication mode to use pam.
Edit sites-enabled/default
Open vi /etc/raddb/sites-enabled/default Locate pam

#  Pluggable Authentication Modules.
#       pam

Update it to

#  Pluggable Authentication Modules.
        pam

Enable pam module

ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam

3. Now update vi /etc/raddb/clients.conf
Add client configuration to client.conf, ipaddr should be ip address of domain controllers

client dockernet {
        ipaddr = 10.51.0.0/16
        secret = secret123
        require_message_authenticator = no
        nas_type = other
}

4. Update default auth type, Edit vi /etc/raddb/users
Locate the following

#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
#

Update it to

DEFAULT Auth-Type := PAM
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."

5. FreeRADIUS execution mode
FreeRADIUS must run as root to access the .google_authenticator in the user’s home directory for that edit vi /etc/raddb/radiusd.conf

search foruser and group

user = radiusd
group = radiusd

Update it to

#user = radiusd
#group = radiusd
user = root
group = root

Test FreeRADIUS with an UNIX account credentials
by starting radiusd in debug mode

First of all create test user

[root@ip-10–3–46–33 home]# useradd raduser
[root@ip-10–3–46–33 home]# passwd raduser
Changing password for user raduser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Start radius in debug mode

[root@ip-10–3–46–33 home]# radiusd -X
[root@ip-10–3–46–33 home]# radtest raduser Mypassword1 localhost 0 testing123
Sending Access-Request Id 194 from 0.0.0.0:47103 to 127.0.0.1:1812
 User-Name = ‘raduser’
 User-Password = ‘Mypassword1’
 NAS-IP-Address = 10.3.46.33
 NAS-Port = 0
 Message-Authenticator = 0x00
Received Access-Accept Id 194 from 127.0.0.1:1812 to 127.0.0.1:39289 length 20

Received Access-Accept should be the response, otherwise you will receive a reject.

Join host to Domain

Now Join your host to your domain using realm and winbind

yum install samba-winbind samba-winbind-clients pam_krb5 realmd

Join to your domain using realm:

[root@ip-10-3-46-33 ec2-user]# realm join --client-software=winbind -U Admin mindtickle.com
Password for Admin:

Now list users using wbinfo

[root@ip-10-3-46-33 ec2-user]# wbinfo -u
mindtickle\guest
mindtickle\krbtgt
mindtickle\administrator
mindtickle\admin
mindtickle\sumit
mindtickle\aws_secureconnect

Install Google Authenticator

[root@ip-10–3–46–33 home]# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
[root@ip-10–3–46–33 home]# yum install google-authenticator

PAM

The /etc/pam.d/radiusd file needs to be configured to utilize Google Authenticator only.

Replace /etc/pam.d/radiusd file with following configuration

#%PAM-1.0
auth       sufficient   pam_google_authenticator.so
account    include password-auth
password   include password-auth
session    include password-auth

Create a new user or use existing one to setup Google Authenticator for UNIX user

[root@ip-10-3-46-33 home]# su - sumit
[sumit@ip-10-3-46-33 ~]$ pwd
/home/sumit
[sumit@ip-10-3-46-33 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y

Now test user authentication using google authenticator in this format
radtest <username> <accesscode>localhost 0 testing123

[root@ip-10-3-46-33 home]# radtest sumit 596314 localhost 0 testing123
Sent Access-Request Id 179 from 0.0.0.0:47103 to 127.0.0.1:1812 length 75
 User-Name = "sumit"
 User-Password = "596314"
 NAS-IP-Address = 10.3.46.33
 NAS-Port = 0
 Message-Authenticator = 0x00
 Cleartext-Password = "596314"
Received Access-Accept Id 179 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

Setup Google Authenticator for AD user

[root@ip-10-3-46-33 home]# su - sumit\\mindtickle
[sumit@ip-10-3-46-33 ~]$ pwd
/home/sumit@mindtickle
[sumit@ip-10-3-46-33 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y

Now test for AD user

[root@ip-10-3-46-33 home]# radtest sumit@mindtickle.com 596314 localhost 0 testing123
Sent Access-Request Id 179 from 0.0.0.0:47103 to 127.0.0.1:1812 length 75
 User-Name = "sumit@mindtickle.com"
 User-Password = "596314"
 NAS-IP-Address = 10.3.46.33
 NAS-Port = 0
 Message-Authenticator = 0x00
 Cleartext-Password = "596314"
Received Access-Accept Id 179 from 127.0.0.1:1812 to 0.0.0.0:0 length 20

This is just demonstration of how it works in prod deployments users can login to radius machine using active directory credentials and configure google-authenticator by themselves. Now our setup of FreeRADIUS with google-authenticator is ready. Lets integrate it with active Directory.

To enable multi-factor authentication for AWS Managed Microsoft AD

1. Identify the IP address of your RADIUS MFA server and your AWS Managed Microsoft AD directory.
2. Edit your Virtual Private Cloud (VPC) security groups to enable communications over port 1812 between your AWS Managed Microsoft AD IP end points and your RADIUS MFA server.
3. In the AWS Directory Service console navigation pane, select Directories.
4. Choose the directory ID link for your AWS Managed Microsoft AD directory.
5. On the Directory details page, select the Networking & security tab.
6. In the Multi-factor authentication section, choose Actions, and then choose Enable.
7. On the Enable multi-factor authentication (MFA) page, provide the following values:
8. Display label Provide a label name.
9. RADIUS server DNS name or IP addresses
   The IP addresses of your RADIUS server endpoints, or the IP address of your RADIUS server load balancer. You can enter multiple IP addresses by separating them with a comma
10. Port
    The port that your RADIUS server is using for communications. Your on-premises network must allow inbound traffic over the default RADIUS server port (UDP:1812) from the AWS Directory Service servers.
11. Shared secret code The shared secret code that was specified when your RADIUS endpoints were created.
12. Confirm shared secret code
13. Protocol
    Select the protocol that was specified when your RADIUS endpoints were created.
14. Server timeout (in seconds) The amount of time, in seconds, to wait for the RADIUS server to respond. This must be a value between 1 and 50.
15. Max RADIUS request retries The number of times that communication with the RADIUS server is attempted. This must be a value between 0 and 10.
16. Multi-factor authentication is available when the RADIUS Status changes to Enabled.
17. Choose Enable.

Done. You will be asked to provide MFA access code for authentication along with active directory password.

References:

https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator
https://www.server-world.info/en/note?os=Fedora_27&p=samba&f=3

https://aws.amazon.com/blogs/security/how-to-enable-multi-factor-authentication-for-amazon-workspaces-and-amazon-quicksight-by-using-microsoft-ad-and-on-premises-credentials/

https://aws.amazon.com/blogs/networking-and-content-delivery/using-microsoft-active-directory-mfa-with-aws-client-vpn/