UserLock can audit, control and apply a user access policy to two kinds of VPN sessions:
VPN sessions when authenticated with the RADIUS protocol on a Microsoft Network Policy Server (included in Windows Server).
- This requires the 'NPS agent' to be installed in this service.
RADIUS clients (Microsoft RRAS, VPN hardware routers) should be configured to contact the NPS server for 'RADIUS authentication' and 'RADIUS accounting'.
- Generally, the RADIUS protocol does not allow to recover the name of the client. As a result, you will not be able to apply Workstation restrictions with the client name. The only known case where this name is available is if your RRAS server is configured with RADIUS Authentication and RADIUS Accounting.
- The VPN client address is not provided by all RADIUS clients (hardware routers) so you may also not be able to enforce IP address restrictions.
- Multiple RADIUS servers for a single RADIUS client (hardware router) is not supported as the logon may be managed by a different agent to the logoff.
- When a VPN session is denied, the user is prompted to enter new credentials. There is currently no way to display a more intelligible message to the user.
Currently, there is no hardware compatibility list showing all hardware routers that are compatible with UserLock. We therefore suggest you test your hardware device with UserLock.
RAS sessions (VPN and dialup) on the Microsoft Routing and Remote Access Service (included in Windows Server).
- This requires the 'RRAS agent' to be installed in this service.
- In this mode UserLock is unable to retrieve the Internet IP address of the VPN client. As a workaround, RRAS can be configured in order to use the 'RADIUS authentication' with an NPS server.
- When a VPN session is denied, the user is prompted to reconnect again. There is currently no way to display a more intelligible message to the user.