Enabling Multi-Factor Authentication (MFA) for an AWS Active Directory (AD) Connector directory can fail. This is often due to a communication issue between AD Connector instances and the RADIUS server, which does not respond, preventing MFA configuration.

Sample Background Setup:

• An admin has an AWS AD Connector set up to connect to Active Directory to AWS services (AWS Workspaces).
• Attempting to enable MFA for the AD Connector using the Okta RADIUS server (IP: [IPAddress]) for authentication.
• The MFA setup consistently fails, and no traffic reaches the Okta RADIUS server, or the logs don't indicate the cause of the failure.

• Okta RADIUS
• Multi-Factor Authentication (MFA)

Okta RADIUS Agent App is being blocked from Windows firewall.

To resolve the issue, follow the steps mentioned below:

1. Log in to Windows Server.
2. Search Allow an app through Windows Firewall.

3. Click Allow another app.
4. Click Browse to C:\Program Files (x86)\Okta\Okta RADIUS Agent\current\bin folder.
5. Open or upload these two files: Oauth and okta-radius, and click Add.

6. When the file okta-radius is uploaded or added, it will show as "Apache Commons Daemon Service Runner." Then click Add.
7. Ensure that the allowed app and features "Oauth" and "Apache Commons Daemon Service Runner" are checked, and that the corresponding columns under Public are checked.

8. Then Hit OK.
9. (Optional) Run a test using the NTRadPing application to verify that a response is received from the RADIUS Server to the AWS Workspace.

Related References

• How to Test if Okta RADIUS Agent / RADIUS Application is Working Properly with NTRadPing