I’ve been trying to use AWSs new Client VPN and I’ve written a list of 23 steps that I believe confirms there’s a bug in how they have their OpenVPN configured to use managed AD to handle authentication when MFA is enabled.
I find it kind of hard to believe they would give a re:Invent talk and write docs mentioning that this is supported without ever testing it.
That being said, I’m fairly confident that the debug steps I have show functionality does not work.
Is there a way for me to get this debug info to someone at AWS or should I just look into alternative approaches?
The debug steps are the following:
Create Managed AD or Simple AD + AD Connector pair.
Enable MFA via RADIUS for Managed AD or AD Connector.
Enable awsapps domain.
Create a user account on either your Managed AD or Simple AD.
Configure OTP for your newly created LDAP user.
Configure your RADIUS to authenticate using your OTP only (no password+pin combo).
Configure your RADIUS to log authentication attempts.
Log into your awsapps domain using your LDAP user.
Check your RADIUS logs (you will see authentication was successful, confirming your RADIUS is correctly configured).
Setup Client VPN, use either your Managed AD or AD Connector for authentication.
Associate a target network and allow all authenticated users to access it.
Download Client VPN config file.
Download AWSs Starfield Technologies Cert.
Add cert from (13) to the top of the section in the Client VPN config file.
Attempt to connect to Client VPN with your LDAP creds and the Client VPN config file (this will fail).
Check the logs on your RADIUS server (you will see no authentication attempt was made).
Enable support for 2FA in your Client VPN config file by adding the line: static-challenge “enter otp” 0
Try to log in again (this will fail).
Check the logs on your RADIUS server (there will have been no authentication attempt).
Disable MFA on either your AD Connector or your Microsoft AD.
Remove the line: `static-challenge “enter otp” 0` from your Client VPN config file.
Attempt to login to your Client VPN with your username and password.
You will be able to login to your VPN (without MFA).
Report the bug through a normal Support ticket, it’ll make its way to the product team. Don’t expect a fix anytime soon though, so proceed with whatever workaround or alternative you need.
A support plan is best but not always justifiable for individuals. In that case, I recommend to tweet @awscloud on twitter that you have identified an issue and ask for a direct message response so the defect can be submitted.
Good luck reaching out to their support if you don’t pay for one of their plans. Even for reporting bugs and issues on their side, they’ll have you pay for it. The support is great if you need it don’t get me wrong but I have had a few cases where I was stuck because of a bug on their side and there was no way to report it.
Now I go through our account manager but it’s annoying for the amount of money I spend that I cannot report bugs…
The service teams always keep an eye on the aws forum, so post it there should be a quick way to communicate if you don’t have the paid customer service.
Few questions:
What Radius solution you are using?
Does the client vpn works without radius? Or without ad?
Does the managed ad locates in the same region as the client vpn?
Turn on vpc flow logs and see the traffic- make sure that it’s not port issue
Lastly- the feedback button on every page at AWS is the best way to report bugs- if you need support without support plan- go to aws forums - they are also monitored by aws team.
Such a shame though, that product’s got the potential to really simplify quite a few things.
If anyone else runs into this, the closest drop-in I’ve been able to come up with is using OpenVPN Access Server configured to use LDAP with a post_auth script configured to validate OTP tokens paired with a few lambdas to post to OpenVPNs Access Servers GUI, updating where users can access as that needs to be updated.
They have the forums for that, and every service should have a forum. Stuff posted there generally gets noticed - it won’t necessarily get fixed immediately, but it usually makes it into each team’s ticket queue or issue backlog. Some services are better about that than others.
> What Radius solution you are using? Does the client vpn works without radius? Or without ad?
In step 23, Client VPN works with either Managed MS AD or Simple AD paired with AD Connector when RADIUS is disabled.
> Does the managed ad locates in the same region as the client vpn? Turn on vpc flow logs and see the traffic- make sure that it’s not port issue
Steps 8 and 9 demonstrate that Managed LDAP can connect to RADIUS, step 23 demonstrates that Client VPN can connect to managed LDAP.
> Lastly- the feedback button on every page at AWS is the best way to report bugs- if you need support without support plan- go to aws forums - they are also monitored by aws team.
There is a feedback button on every console page, and this cuts a ticket with whatever you put in directly to the service team. So I’d start there, if you have a support contract then that’s a better way since your account manager can harass the service team for you.
(