I'm trying to set up multi-factor authentication for AWS WorkSpaces using AD and OATH TOTP (e.g. Google Authenticator). In the AWS AD Connector config you can set up the RADIUS server's IP, port and shared code. If I understand correctly the RADIUS server is what would then connect to Google Authenticator or any other provider and those details are abstracted away behind RADIUS.
Is it possible to connect NPS to an OATH TOTP provider or do you require another RADIUS server? Did I misunderstand how this works and the provider would have additional software to install? I've searched online but haven't found a very clear answer.
Looking around a bit I think you might want to approach this a bit differently. Let Amazon services do the OTP heavy lifting and only reach back to your AD for that small part of things.
Method seems to be first set up Amazon Directory Services to use your AD: http://docs.aws.amazon.com/directoryservice/latest/ad-connector/what_is.html
Enable/configure multi-factor authentication on that: http://docs.aws.amazon.com/directoryservice/latest/ad-connector/connect_mfa.html
Then come back and point your Amazon Workspaces at the Amazon Directory Services instance you just set up: http://docs.aws.amazon.com/workspaces/latest/adminguide/registration.html
I've done none of this, but on paper this looks like it might be easier than what you're contemplating, instead.