AWS WorkSpaces provides a secure and cost-effective desktop-as-a-service solution that allows users to access their desktops from anywhere. This guide will walk you through setting up AWS WorkSpaces using AWS Managed Active Directory and integrating FreeRADIUS MFA Server installed on an EC2 instance for enhanced security.

Step 1: Setting Up AWS Managed Active Directory

  1. Log in to the AWS Management Console: Navigate to the Directory Service console.
  2. Create a Directory: Select “Set up directory” and choose “AWS Managed Microsoft AD.”
  3. Configure Directory Details: Provide the directory name, DNS name, and description. Select the appropriate VPC and subnets for your directory.
  4. Review and Create: Review the details and create the directory.

Step 2: Launching an EC2 Instance for FreeRADIUS MFA Server

  1. Launch an EC2 Instance: Open the EC2 console and launch a new instance. Choose an Amazon Linux 2 AMI and select an instance type (t2.micro is sufficient for this purpose).
  2. Configure Instance Details: Ensure the instance is in the same VPC as your AWS Managed AD and assign the necessary security groups.
  3. Add Storage and Tags: Add storage and tags as required.
  4. Configure Security Group: Open port 1812 (RADIUS Authentication) and port 22 (SSH) in the security group.
  5. Launch the Instance: Review the details and launch the instance.

Step 3: Installing FreeRADIUS on EC2

  1. Connect to the EC2 Instance: Use SSH to connect to your EC2 instance.
  1. Update the System: Run the following commands to update your system packages:

    sudo yum update -y
  1. Install FreeRADIUS: Install FreeRADIUS and necessary modules:

    sudo yum install freeradius freeradius-utils -y
  1. Configure FreeRADIUS: Edit the configuration files to integrate with AWS Managed AD.

    sudo nano /etc/raddb/mods-enabled/ldap
  • Set the server to your directory’s DNS name.
  • Configure the bind DN and password to match your AD credentials.
  1. Start and Enable FreeRADIUS:

    sudo systemctl start radiusd

sudo systemctl enable radiusd

Step 4: Configuring AWS WorkSpaces

  1. Launch AWS WorkSpaces: Navigate to the WorkSpaces console and select “Launch WorkSpaces.”
  2. Select Directory: Choose the AWS Managed AD directory you created earlier.
  3. Create a WorkSpace: Configure the WorkSpace details, including the bundle type and user information.
  4. Enable MFA: In the WorkSpaces directory settings, enable Multi-Factor Authentication (MFA) and point it to the FreeRADIUS server.

Step 5: Testing and Verification

  1. User Configuration: Ensure users are added to the AWS Managed AD and have appropriate permissions.
  2. MFA Testing: Verify that MFA is working by logging into AWS WorkSpaces. You should be prompted for your username, password, and an additional authentication factor configured via FreeRADIUS.

Conclusion

Setting up AWS WorkSpaces with AWS Managed Active Directory and FreeRADIUS MFA Server enhances security and provides a seamless desktop experience for your users. By following the steps outlined in this guide, you can create a robust, secure, and scalable desktop solution.