Creating a DUO MFA Service in AWS



Similar documents
Integration Guide. Duo Security Authentication

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Amazon WorkDocs. Administration Guide Version 1.0

DVS-100 Installation Guide

DVS-100 Installation Guide

Getting Started with Clearlogin A Guide for Administrators V1.01

Running Knn Spark on EC2 Documentation

MATLAB on EC2 Instructions Guide

Using RD Gateway with Azure Multifactor Authentication

Opsview in the Cloud. Monitoring with Amazon Web Services. Opsview Technical Overview

HIPAA Compliance Use Case

HOTPin Integration Guide: DirectAccess

PineApp Surf-SeCure Quick

WEBTITAN CLOUD. User Identification Guide BLOCK WEB THREATS BOOST PRODUCTIVITY REDUCE LIABILITIES

Deploy Remote Desktop Gateway on the AWS Cloud

ST 810, Advanced computing

Introduction to Mobile Access Gateway Installation

CloudCIX Bootcamp. The essential IaaS getting started guide.

Security Provider Integration RADIUS Server

Configuring Global Protect SSL VPN with a user-defined port

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

Source Code Management for Continuous Integration and Deployment. Version 1.0 DO NOT DISTRIBUTE

LAB: Enterprise Single Sign-On Services. Last Saved: 7/17/ :48:00 PM

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

USER CONFERENCE 2011 SAN FRANCISCO APRIL Running MarkLogic in the Cloud DEVELOPER LOUNGE LAB

Kollaborate Server Installation Guide!! 1. Kollaborate Server! Installation Guide!

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Active Directory Integration for Greentree

Getting Started with Oracle Data Mining on the Cloud

Deploy XenApp 7.5 and 7.6 and XenDesktop 7.5 and 7.6 with Amazon VPC

Chapter 9 PUBLIC CLOUD LABORATORY. Sucha Smanchat, PhD. Faculty of Information Technology. King Mongkut s University of Technology North Bangkok

Amazon WorkSpaces. Administration Guide Version 1.0

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Rstudio Server on Amazon EC2

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Installing an open source version of MateCat

Windows 7 Hula POS Server Installation Guide

F-Secure Messaging Security Gateway. Deployment Guide

How to Configure an Initial Installation of the VMware ESXi Hypervisor

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

USB HSPA Modem. User Manual

Extending Remote Desktop for Large Installations. Distributed Package Installs

VMware Identity Manager Administration

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Password Reset PRO INSTALLATION GUIDE

Two-Factor Authentication

Stealth OpenVPN and SSH Tunneling Over HTTPS

SafeWord Domain Login Agent Step-by-Step Guide

Cassandra Installation over Ubuntu 1. Installing VMware player:

Setting Up and Accessing VPN

How to configure the TopCloudXL WHMCS plugin (version 2+) Update: Version: 2.2

unisys Unisys Stealth(cloud) for Amazon Web Services Deployment Guide Release 1.0 January

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

How To Create A Virtual Private Cloud In A Lab On Ec2 (Vpn)

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Livezilla How to Install on Shared Hosting By: Jon Manning

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

AWS Directory Service. Simple AD Administration Guide Version 1.0

Active Directory integration with CloudByte ElastiStor

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Implementing Microsoft Windows Server Failover Clustering (WSFC) and SQL Server 2012 AlwaysOn Availability Groups in the AWS Cloud

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

SafeNet Authentication Service

Single Node Hadoop Cluster Setup

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

SQL Server 2008 R2 Express Edition Installation Guide

Cloud Services MDM. ios User Guide

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

OCS Virtual image. User guide. Version: Viking Edition

CONNECTING TO DEPARTMENT OF COMPUTER SCIENCE SERVERS BOTH FROM ON AND OFF CAMPUS USING TUNNELING, PuTTY, AND VNC Client Utilities

SSH to Ubuntu Server Authenticating Users Using SecurAccess Server by SecurEnvoy

OneLogin Integration User Guide

IIS, FTP Server and Windows

Upgrade Guide BES12. Version 12.1

Multi-factor Authentication using Radius

Lab - Configure a Windows 7 Firewall

IBM WebSphere Application Server Communications Enabled Applications Setup guide

VX 9000E WiNG Express Manager INSTALLATION GUIDE

User Guide Online Backup

Managing Qualys Scanners

Web Testing, Java Testing, Server Monitoring. AppPerfect Installation Guide

Vodafone Secure Device Manager Administration User Guide

Configuring MailArchiva with Insight Server

NSi Mobile Installation Guide. Version 6.2

Adafruit's Raspberry Pi Lesson 5. Using a Console Cable

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Mobile Device Management Version 8. Last updated:

Installing IBM Websphere Application Server 7 and 8 on OS4 Enterprise Linux

Virtual Appliance Setup Guide

BlackShield ID Agent for Remote Web Workplace

Managing Your Microsoft Windows Server Fleet with AWS Directory Service. May 2015

Network Load Balancing

DIGIPASS Authentication for Cisco ASA 5500 Series

Installation & Upgrade Guide

AdRadionet to IBM Bluemix Connectivity Quickstart User Guide

Transcription:

Amazon AWS is a cloud based development environment with a goal to provide many options to companies wishing to leverage the power and convenience of cloud computing within their organisation. In 2013 AWS introduced Workspaces, a Desktop as a Service product which is very useful for those wishing to make better use of Cloud technologies and integrate the solutions with their workflow. Workspaces is a virtual desktop within a Virtual Private Cloud infrastructure which can provide more secure access to applications and systems hosted within AWS. In 2014 AWS added further Directory Service controls to their product, allowing for a connected Active Directory environment accessed within the AWS cloud to be secured using Multi-Factor Authentication methods, such as a Hardware Keyfob. This will enable an extra stage to the Workspaces Login Page which will request the additional authentication passcode. This tutorial will run through the steps and requirements to enable use of a DUO Security RADIUS Proxy within AWS. The benefit of using a DUO Security RADIUS Proxy is the versatility of the solution with multiple device and authentication capabilities. For more information (and to create an account) visit the company s website at www.duosecurity.com. Prerequisites You will need: An AWS Account A VPC configured within any AWS region that supports Workspaces and Directory Services Four Subnets located within your VPC: o One public subnet housing a working NAT server o One private subnet for housing your internal server instances o Two private subnets for housing your Workspaces Two Windows Active Directory DC s, one located in each of the two Workspaces subnets, fully configured with DNS and a working AD Domain. One AWS Directory connection to your working AD Domain with working Workspaces A DUO Security account, configured and working with at least one user Basic understanding of creating DUO Accounts, Devices and authentication methods. Page 1 of 5

Launch a new Instance For my purposes, I installed an Ubuntu 14 Server from the AWS Quick Launch. This is my preference, but you may prefer to use a different flavour of Linux. You will need to modify your commands to suit your preferred Distribution. The Instance I have created is a T2.Medium instance within a PRIVATE subnet (it access the Internet via a NAT box) and I have chosen all other default settings. For the Security Group I have used the following rule: All Traffic from my VPC CIDR (Because this is within a PRIVATE subnet) Once the Instance is launched, I created a PPK file that will provide adequate credentials to allow me to connect to the server via PUTTY. As the instance is within a Private Subnet, I will need to have access to the VPC in order to make my connection. I could have launched an interim Windows or Linux server Instance within my public subnet. In my case I already have another server within that VPC that I can use. Initial Configuration As this is a new server, I always make sure everything is up to date sudo apt-get update && sudo apt-get upgrade Install DUO AuthProxy The next step follows the guide located at https://www.duosecurity.com/docs/authproxy_reference I am not sure why, but the installation process seems to only work if run as Root. So you will need to switch to Root: sudo bash Or sudo su - Install dependencies apt-get install build-essential libssl-dev python-dev Download DUO AuthProxy wget https://dl.duosecurity.com/duoauthproxy-latest-src.tgz Make and Build tar xzf duoauthproxy-latest-src.tgz cd duoauthproxy-yourdownloadedversion-src export PYTHON=python2.7 make Page 2 of 5

At the time of writing, the python version installed on AWS Ubuntu images is 2.7. Also, your version of the DUO AuthProxy source may be different to the one I have downloaded so I have not provided that information. You can simply type cd duo and hit TAB to complete the folder name. cd duoauthproxy-build./install You will be given a license agreement to read and agree to if you wish to continue. Press SPACE to proceed to each new page. Once read, type yes to agree to the license. Complete the installation using all defaults, you will need to enter yes to have the installation script create an initialization script so that the proxy runs at startup. Configure your Proxy Before your proxy can take and process requests, you will need to configure it. nano /opt/duoauthproxy/conf/authproxy.conf The current information in this file can be replaced with the following: [radius_server_duo_only] ikey=[yourapikey] skey=[yoursecretkey] api_host=apiref.duosecurity.com radius_ip_1=10.0.0.0/16 radius_secret_1=[somesecuresecretcode] failmode=safe port=1812 To obtain your API Information, you will first need to create an Integration within your DUO account. Getting your API Information Log into your Console at www.duosecurity.com and enter the Integrations module. Click on the New Integration button. Select RADIUS as the Integration type and give your integration a name. Click Create Integration to continue. You will now have a new integration to use. Enter the Integration Key, Secret Key and API Hostname into the relevant areas on your config file. Page 3 of 5

Start DUO AuthProxy /opt/duoauthproxy/bin/authproxyctl start If all has gone smoothly, you will not get any errors and your AuthProxy Server is ready to go. Add DUO AuthProxy server to Directory You are now ready to add the server to your directory as an MFA Radius connection. Open your AWS Console and navigate to Directory Service. Select your Directory by clicking on the Directory ID. Select the Multi-Factor Authentication tab and update enable MFA. You will now be able to enter the AuthProxy server details. The secret code is the SECRET value you entered within the AuthProxy config file in the previous step. The Server Timeout and Max Retries are best left at 20 and 5 respectively. Any of the Protocols will connect, but I don t know if they will work in terms of authentication. Your mileage may vary. Click Update Directory and wait. You will need to refresh the screen to see if it has worked, if everything has gone well then you will now see the following: Page 4 of 5

Authenticating You are now ready to use your DUO Security integration with any AWS Workspaces connected to this directory. Launch your Amazon Workspaces Client and ensure it is registered to the correct Directory. Then enter your Username and Password. You will now be presented with a second screen asking for additional credentials. DUO Push To authenticate using a Push notification, enter push as your passcode. SMS Scratch Codes To receive a new set of Scratch Codes (one-time only access codes) enter sms as your passcode. The authentication request will fail and you should receive a new SMS message containing your scratch codes. To use one of your existing Scratch Codes, enter the code as your passcode. DUO Authenticator Passcode If you would prefer to enter a passcode from your DUO Authenticator app on your smart device, simply enter your generated code as the passcode. Page 5 of 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information