Directory Service RADIUS Server Security Protocol
Overview
This check validates whether your AWS Directory Service directories with RADIUS-based multi-factor authentication (MFA) are using the MS-CHAPv2 authentication protocol. MS-CHAPv2 is the most secure protocol option available for RADIUS authentication in AWS Directory Service.
Risk
Using weaker RADIUS authentication protocols creates significant security vulnerabilities:
- PAP (Password Authentication Protocol) transmits credentials in cleartext, exposing sensitive authentication data to anyone who can intercept network traffic
- CHAP and MS-CHAPv1 have known cryptographic weaknesses that allow offline password cracking and replay attacks
- Attackers exploiting these weaknesses can gain unauthorized access to your Active Directory-integrated services
- Compromised credentials enable lateral movement through your environment, putting all connected resources at risk
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify Directory Service RADIUS settings
- Your RADIUS server must also support MS-CHAPv2 (most modern RADIUS servers do)
Required IAM permissions
Your IAM user or role needs the following permissions:
ds:UpdateRadiusds:DescribeDirectoriesds:DescribeRadius(to view current settings)
AWS Console Method
- Open the AWS Directory Service console
- In the navigation pane, choose Directories
- Click on the Directory ID of your target directory
- Select the Networking & security tab
- Scroll down to the Multi-factor authentication section
- Click Actions, then Edit (or Enable if MFA is not yet configured)
- In the Protocol dropdown, select MS-CHAPv2
- Verify other settings (RADIUS servers, port, shared secret) are correct
- Click Update directory to save your changes
You should see the MFA configuration updated with MS-CHAPv2 as the protocol.
AWS CLI (optional)
Update RADIUS Protocol via CLI
First, identify your directory ID:
aws ds describe-directories \
--region us-east-1 \
--query "DirectoryDescriptions[*].[DirectoryId,Name,Type]" \
--output table
Update the RADIUS settings to use MS-CHAPv2:
aws ds update-radius \
--directory-id d-1234567890 \
--radius-settings '{
"RadiusServers": ["192.168.1.100", "192.168.1.101"],
"RadiusPort": 1812,
"RadiusTimeout": 10,
"RadiusRetries": 3,
"SharedSecret": "YourStrongSharedSecret123!",
"AuthenticationProtocol": "MS-CHAPv2"
}' \
--region us-east-1
Replace the following placeholders:
d-1234567890- Your actual directory IDRadiusServers- IP addresses or FQDNs of your RADIUS serversSharedSecret- Your RADIUS shared secret (must match your RADIUS server configuration)
Important: When updating RADIUS settings, you must provide all required fields, not just the protocol. The command replaces the entire RADIUS configuration.
CloudFormation (optional)
AWS CloudFormation does not natively support AWS::DirectoryService::RadiusSettings as a standalone resource. However, you can use a Custom Resource with Lambda to manage RADIUS settings.
AWSTemplateFormatVersion: '2010-09-09'
Description: Update Directory Service RADIUS settings to use MS-CHAPv2
Parameters:
DirectoryId:
Type: String
Description: The ID of the directory (e.g., d-1234567890)
AllowedPattern: ^d-[0-9a-f]{10}$
RadiusServer1:
Type: String
Description: IP address or FQDN of primary RADIUS server
RadiusServer2:
Type: String
Description: IP address or FQDN of secondary RADIUS server
Default: ''
RadiusPort:
Type: Number
Description: RADIUS server port
Default: 1812
RadiusSharedSecret:
Type: String
Description: RADIUS shared secret
NoEcho: true
Resources:
RadiusSettingsLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: DirectoryServiceRadiusPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ds:UpdateRadius
- ds:EnableRadius
Resource: !Sub arn:aws:ds:${AWS::Region}:${AWS::AccountId}:directory/${DirectoryId}
RadiusSettingsLambda:
Type: AWS::Lambda::Function
Properties:
Runtime: python3.11
Handler: index.handler
Role: !GetAtt RadiusSettingsLambdaRole.Arn
Timeout: 60
Code:
ZipFile: |
import boto3
import cfnresponse
def handler(event, context):
try:
if event['RequestType'] in ['Create', 'Update']:
ds = boto3.client('ds')
props = event['ResourceProperties']
servers = [props['RadiusServer1']]
if props.get('RadiusServer2'):
servers.append(props['RadiusServer2'])
ds.update_radius(
DirectoryId=props['DirectoryId'],
RadiusSettings={
'RadiusServers': servers,
'RadiusPort': int(props['RadiusPort']),
'RadiusTimeout': 10,
'RadiusRetries': 3,
'SharedSecret': props['RadiusSharedSecret'],
'AuthenticationProtocol': 'MS-CHAPv2'
}
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
except Exception as e:
cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': str(e)})
RadiusSettingsCustomResource:
Type: Custom::RadiusSettings
Properties:
ServiceToken: !GetAtt RadiusSettingsLambda.Arn
DirectoryId: !Ref DirectoryId
RadiusServer1: !Ref RadiusServer1
RadiusServer2: !Ref RadiusServer2
RadiusPort: !Ref RadiusPort
RadiusSharedSecret: !Ref RadiusSharedSecret
Outputs:
DirectoryId:
Description: Directory ID with updated RADIUS settings
Value: !Ref DirectoryId
Deploy the stack:
aws cloudformation create-stack \
--stack-name ds-radius-mschapv2 \
--template-body file://template.yaml \
--capabilities CAPABILITY_IAM \
--parameters \
ParameterKey=DirectoryId,ParameterValue=d-1234567890 \
ParameterKey=RadiusServer1,ParameterValue=192.168.1.100 \
ParameterKey=RadiusServer2,ParameterValue=192.168.1.101 \
ParameterKey=RadiusSharedSecret,ParameterValue=YourStrongSharedSecret123! \
--region us-east-1
Terraform (optional)
variable "directory_id" {
description = "The ID of the AWS Directory Service directory"
type = string
# Example: d-1234567890
}
variable "radius_servers" {
description = "List of RADIUS server IP addresses or FQDNs"
type = list(string)
# Example: ["192.168.1.100", "192.168.1.101"]
}
variable "radius_port" {
description = "RADIUS server port"
type = number
default = 1812
}
variable "radius_timeout" {
description = "Timeout in seconds for RADIUS requests"
type = number
default = 10
}
variable "radius_retries" {
description = "Number of retry attempts for RADIUS requests"
type = number
default = 3
}
variable "shared_secret" {
description = "RADIUS shared secret"
type = string
sensitive = true
}
resource "aws_directory_service_radius_settings" "main" {
directory_id = var.directory_id
radius_servers = var.radius_servers
radius_port = var.radius_port
radius_timeout = var.radius_timeout
radius_retries = var.radius_retries
shared_secret = var.shared_secret
# Use MS-CHAPv2 for secure authentication
authentication_protocol = "MS-CHAPv2"
}
output "radius_status" {
description = "Status of the RADIUS configuration"
value = aws_directory_service_radius_settings.main.id
}
Create a terraform.tfvars file (do not commit secrets to version control):
directory_id = "d-1234567890"
radius_servers = ["192.168.1.100", "192.168.1.101"]
shared_secret = "YourStrongSharedSecret123!"
Apply the configuration:
terraform init
terraform apply
Verification
After updating the RADIUS settings:
- Return to the Networking & security tab of your directory in the AWS Console
- In the Multi-factor authentication section, confirm that Protocol shows MS-CHAPv2
- Test MFA login with a user account to ensure authentication still works correctly
CLI verification commands
Check current RADIUS settings:
aws ds describe-directories \
--directory-ids d-1234567890 \
--region us-east-1 \
--query "DirectoryDescriptions[0].RadiusSettings"
The output should show "AuthenticationProtocol": "MS-CHAPv2".
Additional Resources
Notes
- Coordinate with your RADIUS administrator: Before changing the protocol, ensure your RADIUS server is configured to accept MS-CHAPv2 authentication. Most modern RADIUS servers (FreeRADIUS, Windows NPS, etc.) support MS-CHAPv2 by default.
- Test in non-production first: If possible, test the protocol change in a development or staging environment before applying to production directories.
- Shared secret strength: Use a strong shared secret (at least 22 characters with mixed case, numbers, and special characters) between your directory and RADIUS server.
- Network security: Ensure RADIUS traffic is restricted to authorized endpoints. RADIUS traffic should only flow between your Directory Service VPC and your RADIUS servers.
- High availability: Configure multiple RADIUS servers for redundancy to avoid MFA becoming a single point of failure.
- No downgrade: After switching to MS-CHAPv2, do not revert to weaker protocols (PAP, CHAP, MS-CHAPv1) as this will reintroduce the security vulnerabilities.