BYOD Security for Windows Networks

BYOD security is a concern for many IT departments. Because of this, UserLock includes a Wi-Fi and VPN session control feature that permits an organization to control their wireless networks and help secure BYOD environments.

With UserLock an organization can monitor, restrict and record every Wi-Fi and/or VPN session.

How to restrict Wi-Fi & VPN sessions with UserLock

The following post explains how UserLock enables you to manage Wi-Fi and VPN sessions.

Wi-Fi sessions are managed if configured with RADIUS Authentication and Accounting.

VPN sessions are managed if configured with RADIUS Authentication and Accounting, or if configured with a Microsoft RRAS Server.

Here are examples of such sessions:

Wi-Fi sessions (with RADIUS Authentication and Accounting)

Wi-Fi sessions (with RADIUS Authentication and Accounting

VPN sessions (with RADIUS Authentication and Accounting)

BYOD Security - VPN with RADIUS authentication

 

VPN sessions (with a Microsoft RRAS Server)

VPN sessions (with a Microsoft RRAS Server

 

Wi-Fi & VPN sessions (with RADIUS Authentication and Accounting)

Wi-Fi & VPN sessions (with RADIUS Authentication and Accounting

 

By restricting Wi-Fi & VPN sessions, you can better control user access of a network.

(Note that more advanced technical details about Wi-Fi, RADIUS, IAS and RRAS are available at the end of the document.)

Getting Started

Conventions

Note that for this article we use the following conventions:

  • “IAS” to talk about “NPS” (Windows Server 2008 and higher) or “IAS” (Windows Server 2003 and lower).
  • “IasSrv” is the name of the IAS server.
  • 192.168.1.2 is the IP of the IAS server.
  • 192.168.1.3 is the IP of the Wi-Fi Access Point.
  • “RrasSrv” is the name of the Microsoft RRAS server.
  • 192.168.1.4 is the IP of the Microsoft RRAS server.

Requirements

For Wi-Fi sessions

A Wi-Fi Access Point compatible and configured with RADIUS Authentication and Accounting. An example of such a device is Cisco Aironet 1700 which is used in this article.

For VPN sessions

A VPN server compatible and configured with RADIUS Authentication and Accounting, or a Microsoft RRAS Server.

Why RADIUS Accounting is important

When we read “configured with RADIUS”, we may just configure the RADIUS Authentication and forget to configure RADIUS Accounting.

If RADIUS Accounting is not configured, UserLock will not receive logoff notifications, so its data will be incomplete. (That’s why we are highlighting all instances of RADIUS Accounting).

How to install:

  • Install the UserLock agent corresponding to your network:

For Wi-Fi sessions

Install the IAS UserLock agent on an IAS server authenticating a Wi-Fi Access Point (1st scheme).

For VPN sessions

Install the IAS UserLock agent on an IAS server authenticating a VPN server (2nd scheme).

Or install the RRAS UserLock agent on a RRAS server (3rd scheme).

 

  • Configure UserLock protected accounts with Wi-Fi & VPN restrictions.

How to use:

In this example, you will see how to configure protected accounts allowing only one Wi-Fi & VPN session to all users. It is based on the 4th scheme:

Add RADIUS clients to the RADIUS Server

On the IAS server, run the IAS console, and configure the Wi-Fi Access Point and the Microsoft RRAS server as RADIUS clients:

add radius clients to the radius server

Configure the Wi-Fi Access Point with the RADIUS Authentication and Accounting specifying the IAS server

Open the web Administration console of the Wi-Fi Access Point (here, Cisco Aironet 1700)

Go to “SECURITY”/”SSID Manager”:

security SSID Manager

 

On “Client Authentication Settings” / “Server Priorities”, click on “Define Defaults”:

client authentication settings

 

Then configure RADIUS server with your server’s parameters and click on “Apply”. (You can configure multiple servers and then select priority between them):

configure radius server

Configure your VPN server with the RADIUS Authentication and Accounting specifying the same IAS server

On the VPN server (here a Microsoft RRAS server), open RRAS then configure it with the RADIUS Authentication and Accounting specifying the same IAS server:

configure VPN server

change secret

add radius server

radius authentication

 

Install the IAS UserLock agent on that IAS server

Install the IAS UserLock agent on that IAS server

 

Complete the installation restarting the concerned Windows services

On the IAS server, run CMD (or PowerShell) as administrator and run the following commands: (caution: it will disconnect all Wi-Fi connections active at that moment):

  • net stop remoteaccess
  • net stop ias
  • net start ias
  • net start remoteaccess

In the UserLock Console, check that the status of the IAS agent is “Installed”

status IAS agent is installed

Allow at most 1 Wi-Fi & VPN session in UserLock for all users

Add the “Everyone” protected account to make all users concerned by the new rule:

add everyone protected account

 

add everyone protected account ok

add-everyone-protected-account3

 

Allow 1 Wi-Fi & VPN session:

allow one Wi-Fi and VPN session

 

Test restrictions

Make a VPN connection with one account (in this example the account ‘Alice’. The connection is successful. You can see the session in the UserLock console

VPN connection shown in the UserLock console

 

Now try a Wi-Fi connection with ‘Alice’. It will be denied.

If you then close the VPN connection opened by ‘Alice’, and then try a Wi-Fi connection with ‘Alice’, it will now be allowed

Create other restrictions in UserLock

Other restrictions are also possible for Wi-Fi & VPN sessions: For example, defining working hours, time quotas

Advanced Notes

  • RADIUS (Remote Authentication Dial-In User Service) is a protocol for authentication and accounting.
  • RADIUS Authentication and RADIUS Accounting are two different things, and both are needed to be compatible with UserLock. Usually, RADIUS Authentication is on port 1812 or 1645, and RADIUS Accounting is on port 1813 or 1646.
  • IAS is the Microsoft implementation of RADIUS in Windows Server 2003. NPS is the same but from Windows Server 2008.
  • Wi-Fi is a standard for wireless communications. It is possible to configure RADIUS for Wi-Fi depending on access points. RADIUS Authentication and Accounting are required for UserLock to manage Wi-Fi sessions.
  • RRAS is a Microsoft technology to manage VPN sessions. A RRAS server can be configured with Windows Authentication or RADIUS Authentication.
  • Currently, it is not possible to log off Wi-Fi & VPN sessions through UserLock, it is only possible with Interactive (desktop) sessions.

 

 

Try UserLock for yourselfDownload a FREE, 30 Day fully-functional trial version.

As always, our Client Services Team is at your disposal to provide you with further information or assistance. Please feel free to contact us anytime.

Share this post :

Software Developer at IS Decisions

Secured By miniOrange