Amazon AWS is a cloud based development environment with a goal to provide many options to companies wishing to leverage the power and convenience of cloud computing within their organisation. In 2013 AWS introduced Workspaces, a Desktop as a Service product which is very useful for those wishing to make better use of Cloud technologies and integrate the solutions with their workflow. Workspaces is a virtual desktop within a Virtual Private Cloud infrastructure which can provide more secure access to applications and systems hosted within AWS. In 2014 AWS added further Directory Service controls to their product, allowing for a connected Active Directory environment accessed within the AWS cloud to be secured using Multi-Factor Authentication methods, such as a Hardware Keyfob. This will enable an extra stage to the Workspaces Login Page which will request the additional authentication passcode. This tutorial will run through the steps and requirements to enable use of a DUO Security RADIUS Proxy within AWS. The benefit of using a DUO Security RADIUS Proxy is the versatility of the solution with multiple device and authentication capabilities. For more information (and to create an account) visit the company s website at www.duosecurity.com. Prerequisites You will need: An AWS Account A VPC configured within any AWS region that supports Workspaces and Directory Services Four Subnets located within your VPC: o One public subnet housing a working NAT server o One private subnet for housing your internal server instances o Two private subnets for housing your Workspaces Two Windows Active Directory DC s, one located in each of the two Workspaces subnets, fully configured with DNS and a working AD Domain. One AWS Directory connection to your working AD Domain with working Workspaces A DUO Security account, configured and working with at least one user Basic understanding of creating DUO Accounts, Devices and authentication methods. Page 1 of 5
Launch a new Instance For my purposes, I installed an Ubuntu 14 Server from the AWS Quick Launch. This is my preference, but you may prefer to use a different flavour of Linux. You will need to modify your commands to suit your preferred Distribution. The Instance I have created is a T2.Medium instance within a PRIVATE subnet (it access the Internet via a NAT box) and I have chosen all other default settings. For the Security Group I have used the following rule: All Traffic from my VPC CIDR (Because this is within a PRIVATE subnet) Once the Instance is launched, I created a PPK file that will provide adequate credentials to allow me to connect to the server via PUTTY. As the instance is within a Private Subnet, I will need to have access to the VPC in order to make my connection. I could have launched an interim Windows or Linux server Instance within my public subnet. In my case I already have another server within that VPC that I can use. Initial Configuration As this is a new server, I always make sure everything is up to date sudo apt-get update && sudo apt-get upgrade Install DUO AuthProxy The next step follows the guide located at https://www.duosecurity.com/docs/authproxy_reference I am not sure why, but the installation process seems to only work if run as Root. So you will need to switch to Root: sudo bash Or sudo su - Install dependencies apt-get install build-essential libssl-dev python-dev Download DUO AuthProxy wget https://dl.duosecurity.com/duoauthproxy-latest-src.tgz Make and Build tar xzf duoauthproxy-latest-src.tgz cd duoauthproxy-yourdownloadedversion-src export PYTHON=python2.7 make Page 2 of 5
At the time of writing, the python version installed on AWS Ubuntu images is 2.7. Also, your version of the DUO AuthProxy source may be different to the one I have downloaded so I have not provided that information. You can simply type cd duo and hit TAB to complete the folder name. cd duoauthproxy-build./install You will be given a license agreement to read and agree to if you wish to continue. Press SPACE to proceed to each new page. Once read, type yes to agree to the license. Complete the installation using all defaults, you will need to enter yes to have the installation script create an initialization script so that the proxy runs at startup. Configure your Proxy Before your proxy can take and process requests, you will need to configure it. nano /opt/duoauthproxy/conf/authproxy.conf The current information in this file can be replaced with the following: [radius_server_duo_only] ikey=[yourapikey] skey=[yoursecretkey] api_host=apiref.duosecurity.com radius_ip_1=10.0.0.0/16 radius_secret_1=[somesecuresecretcode] failmode=safe port=1812 To obtain your API Information, you will first need to create an Integration within your DUO account. Getting your API Information Log into your Console at www.duosecurity.com and enter the Integrations module. Click on the New Integration button. Select RADIUS as the Integration type and give your integration a name. Click Create Integration to continue. You will now have a new integration to use. Enter the Integration Key, Secret Key and API Hostname into the relevant areas on your config file. Page 3 of 5
Start DUO AuthProxy /opt/duoauthproxy/bin/authproxyctl start If all has gone smoothly, you will not get any errors and your AuthProxy Server is ready to go. Add DUO AuthProxy server to Directory You are now ready to add the server to your directory as an MFA Radius connection. Open your AWS Console and navigate to Directory Service. Select your Directory by clicking on the Directory ID. Select the Multi-Factor Authentication tab and update enable MFA. You will now be able to enter the AuthProxy server details. The secret code is the SECRET value you entered within the AuthProxy config file in the previous step. The Server Timeout and Max Retries are best left at 20 and 5 respectively. Any of the Protocols will connect, but I don t know if they will work in terms of authentication. Your mileage may vary. Click Update Directory and wait. You will need to refresh the screen to see if it has worked, if everything has gone well then you will now see the following: Page 4 of 5
Authenticating You are now ready to use your DUO Security integration with any AWS Workspaces connected to this directory. Launch your Amazon Workspaces Client and ensure it is registered to the correct Directory. Then enter your Username and Password. You will now be presented with a second screen asking for additional credentials. DUO Push To authenticate using a Push notification, enter push as your passcode. SMS Scratch Codes To receive a new set of Scratch Codes (one-time only access codes) enter sms as your passcode. The authentication request will fail and you should receive a new SMS message containing your scratch codes. To use one of your existing Scratch Codes, enter the code as your passcode. DUO Authenticator Passcode If you would prefer to enter a passcode from your DUO Authenticator app on your smart device, simply enter your generated code as the passcode. Page 5 of 5