Why is MFA failing on my AWS Managed Microsoft AD directory or my AD Connector?

2 minute read
0

I've enabled multi-factor authentication (MFA) on my AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) directory or AD Connector. However, MFA is failing. How can I troubleshoot this?

Resolution

The security group associated with your AWS Managed Microsoft AD or AD Connector must have a rule that allows outbound traffic on port UDP 1812 to the security group associated with your RADIUS server.

Note: If you're using a custom UDP port for MFA authentication, then allow the custom UDP port traffic under the following:

  • Outbound rules on the security group associated with your AWS Managed Microsoft AD or AD Connector.
  • Inbound rules on the Security group associated with your RADIUS server.

Verify that port UDP 1812 or your custom UDP port for MFA is allowed under outbound traffic on the AWS Managed Microsoft AD or AD Connector security group

  1. To find the security group associated with your DNS servers, open the AWS Directory Service console, and note the IP addresses under DNS address.
  2. Open the Amazon Elastic Compute Cloud (Amazon EC2) console, and then choose Network Interfaces.
  3. In the search field, enter one of the DNS IP addresses found in step 1 and select the checkbox for that interface.
  4. Under Details, select the security group listed in Security Groups.
  5. Select View outbound rules. Verify that there is a rule allowing outbound traffic on port UPD 1812 for UDP, or your custom UDP port for MFA, to the IP address space or security group associated with your RADIUS EC2 instances.

Verify that the secret key for directory services is the same key configured on the RADIUS server

The RADIUS client and server must use the same shared password or key. Check the RADIUS server logs for further information. The method for checking Radius logs depends on your configuration. Review the documentation for your configuration for instructions on accessing the logs.


Related information

Enable multi-factor authentication for AWS Managed Microsoft AD

Enable multi-factor authentication for AD Connector

AWS OFFICIAL
AWS OFFICIALUpdated 3 years ago
2 Comments

I followed all step and still failed.

My freeradius is running and linked to my AD (windb is working) I tried with public and private IP of my RadiusServer and still not working. I put same secret pass ...

I can't get any log to help me

Alex
replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 months ago