BYOD security is a concern for many IT departments. Because of this, UserLock includes a Wi-Fi and VPN session control feature that permits an organization to control their wireless networks and help secure BYOD environments.
With UserLock an organization can monitor, restrict and record every Wi-Fi and/or VPN session.
How to restrict Wi-Fi & VPN sessions with UserLock
The following post explains how UserLock enables you to manage Wi-Fi and VPN sessions.
Wi-Fi sessions are managed if configured with RADIUS Authentication and Accounting.
VPN sessions are managed if configured with RADIUS Authentication and Accounting, or if configured with a Microsoft RRAS Server.
Here are examples of such sessions:
Wi-Fi sessions (with RADIUS Authentication and Accounting)
VPN sessions (with RADIUS Authentication and Accounting)
VPN sessions (with a Microsoft RRAS Server)
Wi-Fi & VPN sessions (with RADIUS Authentication and Accounting)
By restricting Wi-Fi & VPN sessions, you can better control user access of a network.
(Note that more advanced technical details about Wi-Fi, RADIUS, IAS and RRAS are available at the end of the document.)
Getting Started
Conventions
Note that for this article we use the following conventions:
- “IAS” to talk about “NPS” (Windows Server 2008 and higher) or “IAS” (Windows Server 2003 and lower).
- “IasSrv” is the name of the IAS server.
- 192.168.1.2 is the IP of the IAS server.
- 192.168.1.3 is the IP of the Wi-Fi Access Point.
- “RrasSrv” is the name of the Microsoft RRAS server.
- 192.168.1.4 is the IP of the Microsoft RRAS server.
Requirements
For Wi-Fi sessions
A Wi-Fi Access Point compatible and configured with RADIUS Authentication and Accounting. An example of such a device is Cisco Aironet 1700 which is used in this article.
For VPN sessions
A VPN server compatible and configured with RADIUS Authentication and Accounting, or a Microsoft RRAS Server.
Why RADIUS Accounting is important
When we read “configured with RADIUS”, we may just configure the RADIUS Authentication and forget to configure RADIUS Accounting.
If RADIUS Accounting is not configured, UserLock will not receive logoff notifications, so its data will be incomplete. (That’s why we are highlighting all instances of RADIUS Accounting).
How to install:
- Install the UserLock agent corresponding to your network:
For Wi-Fi sessions
Install the IAS UserLock agent on an IAS server authenticating a Wi-Fi Access Point (1st scheme).
For VPN sessions
Install the IAS UserLock agent on an IAS server authenticating a VPN server (2nd scheme).
Or install the RRAS UserLock agent on a RRAS server (3rd scheme).
- Configure UserLock protected accounts with Wi-Fi & VPN restrictions.
How to use:
In this example, you will see how to configure protected accounts allowing only one Wi-Fi & VPN session to all users. It is based on the 4th scheme:
Add RADIUS clients to the RADIUS Server
On the IAS server, run the IAS console, and configure the Wi-Fi Access Point and the Microsoft RRAS server as RADIUS clients:
Configure the Wi-Fi Access Point with the RADIUS Authentication and Accounting specifying the IAS server
Open the web Administration console of the Wi-Fi Access Point (here, Cisco Aironet 1700)
Go to “SECURITY”/”SSID Manager”:
On “Client Authentication Settings” / “Server Priorities”, click on “Define Defaults”:
Then configure RADIUS server with your server’s parameters and click on “Apply”. (You can configure multiple servers and then select priority between them):
Configure your VPN server with the RADIUS Authentication and Accounting specifying the same IAS server
On the VPN server (here a Microsoft RRAS server), open RRAS then configure it with the RADIUS Authentication and Accounting specifying the same IAS server:
Install the IAS UserLock agent on that IAS server
Complete the installation restarting the concerned Windows services
On the IAS server, run CMD (or PowerShell) as administrator and run the following commands: (caution: it will disconnect all Wi-Fi connections active at that moment):
- net stop remoteaccess
- net stop ias
- net start ias
- net start remoteaccess
In the UserLock Console, check that the status of the IAS agent is “Installed”
Allow at most 1 Wi-Fi & VPN session in UserLock for all users
Add the “Everyone” protected account to make all users concerned by the new rule:
Allow 1 Wi-Fi & VPN session:
Test restrictions
Make a VPN connection with one account (in this example the account ‘Alice’. The connection is successful. You can see the session in the UserLock console
Now try a Wi-Fi connection with ‘Alice’. It will be denied.
If you then close the VPN connection opened by ‘Alice’, and then try a Wi-Fi connection with ‘Alice’, it will now be allowed
Create other restrictions in UserLock
Other restrictions are also possible for Wi-Fi & VPN sessions: For example, defining working hours, time quotas…
Advanced Notes
- RADIUS (Remote Authentication Dial-In User Service) is a protocol for authentication and accounting.
- RADIUS Authentication and RADIUS Accounting are two different things, and both are needed to be compatible with UserLock. Usually, RADIUS Authentication is on port 1812 or 1645, and RADIUS Accounting is on port 1813 or 1646.
- IAS is the Microsoft implementation of RADIUS in Windows Server 2003. NPS is the same but from Windows Server 2008.
- Wi-Fi is a standard for wireless communications. It is possible to configure RADIUS for Wi-Fi depending on access points. RADIUS Authentication and Accounting are required for UserLock to manage Wi-Fi sessions.
- RRAS is a Microsoft technology to manage VPN sessions. A RRAS server can be configured with Windows Authentication or RADIUS Authentication.
- Currently, it is not possible to log off Wi-Fi & VPN sessions through UserLock, it is only possible with Interactive (desktop) sessions.
Try UserLock for yourself – Download a FREE, 30 Day fully-functional trial version.
As always, our Client Services Team is at your disposal to provide you with further information or assistance. Please feel free to contact us anytime.
