Description:

Multi-factor authentication (MFA) is a security process that requires users to provide two or more pieces of evidence to verify their identity. This helps to protect against unauthorized access, even if one of the factors is compromised.

In this policy, we will ensure that MFA is enabled on the RADIUS server in the Datacenter (DS). This will require users to provide their username and password, as well as a one-time passcode (OTP) from their MFA device, in order to authenticate to the network.

Rationale:

MFA provides an additional layer of security to the RADIUS server in the DS. This helps to protect against unauthorized access, even if the username and password are compromised.

Impact:

Enabling MFA on the RADIUS server in the DS will make it more difficult for unauthorized users to gain access to the network. This will help to protect the confidentiality, integrity, and availability of the network resources.

Default Value:

By default, MFA is not enabled on the RADIUS server in the DS. This means that users can only authenticate to the network using their username and password.

Pre-requisites:

To implement this policy, you will need the following:

  • Access to the RADIUS server in the DS
  • The ability to enable MFA on the RADIUS server

Remediation Steps:

To remediate this policy, you will need to follow these steps:

  1. Log in to the RADIUS server in the DS.
  2. Enable MFA on the RADIUS server.
  3. Save the changes.

Test Plan:

To test that the policy has been implemented correctly, you can follow these steps:

  1. Attempt to authenticate to the network using only your username and password.
  2. The authentication should fail.
  3. Attempt to authenticate to the network using your username, password, and OTP.
  4. The authentication should succeed.

Implementation Plan:

The following are the steps on how to implement this policy using the AWS CLI:

  1. Log in to the AWS CLI.
  2. Run the following command to enable MFA on the RADIUS server:
aws radius enable-mfa --server-id <server-id>

Using AWS GUI:

  1. Go to the AWS IAM console.
  2. Click on "Radius Servers" in the left-hand navigation menu.
  3. Click on the "RADIUS Server" that you want to enable MFA for.
  4. Click on the "Edit" button.
  5. In the "Multi-Factor Authentication" section, check the "Enable MFA" checkbox.
  6. Click on the "Save" button.

Backout Plan:

To back out of this policy, you can follow these steps:

  1. Log in to the RADIUS server in the DS.
  2. Disable MFA on the RADIUS server.
  3. Save the changes.

Note:

This policy is only applicable to the RADIUS server in the DS. If you have other RADIUS servers in your environment, you will need to implement this policy on those servers as well.

Reference:

  • AWS IAM Multi-Factor Authentication Documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html

Section 2: Tags and Keywords:

  • tags: security, radius, mfa
  • keywords: authentication, protocol, security, tls