Multi-Factor Authentication (2FA/MFA) for AWS Client VPN

Last updated on May 6, 2025

Overview of MFA for AWS Client VPN

Multi-Factor Authentication (MFA) for AWS Client VPN is an enhanced security measure that requires users to present two pieces of identification before gaining access to AWS Client VPN. The first form of identification involves the user entering their username and password associated with an Active Directory or RADIUS system. After completing the first step, the user must then use a second form of authentication, such as a Mobile Push or Email Link, before being granted access to the AWS Client VPN. Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) for AWS Client VPN provides an additional layer of protection and prevents unauthorized access, even if hackers know the user’s credentials.

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Required Components

• EC2 Windows Instance – to install services and manage users and groups in the Active Directory.
• EC2 Linux Instance – to install Rublon Authentication Proxy.
• Amazon WorkSpaces with AWS Managed Microsoft AD set as Directory Service.

Configuration of MFA for AWS Client VPN

Follow these steps to enable Rublon 2FA for AWS Client VPN.

Configure Windows instance and AWS Managed Microsoft AD

1. Open your AWS Management Console and navigate to WorkSpaces.

2. You must create a workspace directory using AWS Managed Microsoft AD. Navigate to the left pane, click Directories, and then click the Set up Directory button.

3. Select AWS Managed Microsoft AD as the directory type and click Next.

4. Select Standard Edition or Enterprise Edition depending on your needs.

5. Set Directory DNS name. It must be a fully qualified name for the directory, such as rublon.example.com.

6. Set your Admin password and confirm the password.

7. Click Next and specify the VPC and Subnets for your directory. The VPC you set here has to be the VPC where your Windows Server and Ubuntu instances reside. Subnets are not that important for this configuration but you can specify the same subnet as for one of your instances.

8. Click Next, review your information, and click Create directory.

9. Create and join the Amazon EC2 Windows instance to the AWS Managed Microsoft AD directory you just created. Refer to the official documentation to learn how to do it.

10. Connect to your Windows instance (provide the Service account password you set in Step 6).

11. Open Powershell and run the following command:

install-windowsfeature rsat-ad-tools, rsat-ad-admincenter, gpmc, rsat-dns-server -confirm:$false

12. Create Active Directory users and groups. Add your users into groups. Users created in this step will be able to connect using AWS Client VPN.

Refer to the following AWS documentation to learn how to:

• Create a user
• Create a group
• Add a user to a group

13. Run the following command to obtain the SID of your Active Directory group. Replace groupName with the name of your Active Directory group.

Get-ADGroup -Identity groupName

Configure Amazon Linux AMI and Rublon Authentication Proxy

1. Launch a new instance from the EC2 Instances console.

2. Click Choose AMI and select Amazon Linux 2 AMI 64-bit (x86).

3. Click Choose Instance Type. Select the desired Instance Type and the size of your instance. There are no specific requirements for the size of the instance. Select an instance adequate to your company size.

4. Click Next: Configure Instance Details and fill in the form. Note that the options you choose here should correspond to the options you chose during Windows instance creation in the previous section. Make sure that the VPC and Subnet are the same as for the Windows Server instance. Enable Auto-assign Public IP as this option might come in handy when connecting remotely to the instance via SSH. Keep the rest of the settings as they are or change them according to your needs.

5. Click Next: Add storage. Specify the size of the volume for your instance. Set the size according to your needs or keep the default value of 8GB.

6. Click Next: Add tags. This section relates to tags. Note that you do not have to specify any tags for this configuration to work. Add tags if you need them for some other reason.

7. Click Next: Configure Security Group. Use the group you have created before. Make sure the following ports are open in Inbound Rules:

• UDP 1812
• TCP 22

8. Click Review and Launch. At launch, you will see an option to select an existing key pair or create a new key pair. Do as you wish but make sure to download and save the key file. You are going to need this key to connect to your instance. The username for the ssh user is ec2-user.

9. Wait a few minutes for the instance to start and connect to the instance using the key you have downloaded at instance launch.

10. Install and configure Rublon Authentication Proxy.

11. Find the User Base DN.

1. On your Active Directory instance, open Windows command prompt as admin.
2. Run the following command:
   dsquery user -name <username>
3. Let’s say you got the following output:
   "CN=Username,ou=Users,ou=domain,dc=domain,dc=local"
   Then, you have to set ou=Users,ou=domain,dc=domain,dc=local as SEARCH_DN in your Rublon Authentication Proxy configuration.
   

12. Use the following config.yaml snippet as a template for your configuration:

log:
  debug: false

rublon:
  api_server: https://core.rublon.net
  system_token: system_token_obtained_from_rublon_admin_console
  secret_key: secret_key_obtained_from_rublon_admin_console

proxy_servers:
  - name: RADIUS-Proxy
    type: RADIUS
    ip: PRIVATE_IP_OF_AMI_INSTANCE
    port: 1812
    radius_secret: secret_to_communicate_with_the_proxy
    mode: nocred
    auth_source: LDAP_SOURCE_1
    auth_method: push,email

auth_sources:
  - name: LDAP_SOURCE_1
    type: LDAP
    ip: ip_or_dns_address_of_aws_directory_service
    port: 389
    transport_type: plain
    search_dn: ou=Users,ou=domain,dc=domain,dc=local
    access_user_dn: ad_service_account
    access_user_password: ad_service_account_password

Make sure to set your proxy’s mode to nocred.

Enable MFA on your AWS Microsoft Managed AD

1. Go to Directory Service → Directories and select your Active Directory.

2. Click the Networking & security tab and navigate to Multi-factor authentication.

3. Click the Actions dropdown and select Enable.

4. Fill in the form. Click Enable when done. Refer to the following table for more information.

RADIUS server DNS name or IP addresses	Enter the private IP address of the EC2 AMI Linux instance (Rublon Authentication Proxy).
Port	Enter the port specified in your config.json file. Default: 1812
Shared secret code	Enter the same secret you have specified in Rublon Authentication Proxy’s config.json file.
Confirm shared secret code	Retype the secret.
Protocol	Select PAP.
Server timeout (in seconds)	Enter the same value that you have specified in config.json. Recommended: 30
Max RADIUS request retries	Enter the same value that you have specified in config.json. Recommended: 3

5. Create the Client VPN endpoint. Refer to the official documentation to learn how to set up your Client VPN endpoint.

6. Download the new AWS Client VPN configuration file from the AWS Management Console.

7. Ensure the file you downloaded includes the following parameters:

auth-user-pass
static-challenge "Enter MFA code " 1

Log in to AWS Client VPN using MFA for AWS Client VPN

This example portrays connecting via the AWS Client VPN. It is assumed you have already installed the client and created a profile using the configuration file downloaded in Step 5 of the previous section. Send the configuration file to all your users after you have tested your integration.

1. Open your AWS VPN Client.

2. Select your profile and click Connect.

3.  Provide your Active Directory credentials in User name and Password fields.

4. Enter one of the following in the Enter MFA code field:

• 123456 – a Passcode (6-digit TOTP code generated by Rublon Authenticator or another third-party authentication app like Google Authenticator or Microsoft Authenticator)
• 123456789 – a Bypass Code (9-digit code received from the administrator)
• push – a Mobile Push is sent to their phone; requires Rublon Authenticator
• email – an email message containing an Email Link is sent to their email address
• smsLink – a text message containing an SMS Link
• phoneCall – a Phone Call from Rublon
• <YubiKey OTP code> – insert the YubiKey and press the button on the key; the OTP will be typed automatically and then Enter will be pressed

5. Let’s select Mobile Push. Type push and click OK.

6. You will be sent an automatic push notification on your phone.

7. Tap APPROVE.

8. You will be connected to AWS Client VPN.

Troubleshooting

If you have questions concerning AWS, please refer to the AWS Directory Service Documentation first. If you still cannot solve your issue, please contact Rublon Support.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations