VPN sessions
UserLock can audit, control and apply a user access policy to the following type of VPN sessions:
VPN sessions when authenticated with the RADIUS protocol on a Microsoft Network Policy Server (included in Windows Server).
- This requires the 'NPS agent' to be installed in this service.
- Important:
RADIUS clients (Microsoft RRAS, VPN hardware routers) should be configured to contact the NPS server for 'RADIUS authentication' and 'RADIUS accounting'. - Limitations:
- Generally, the RADIUS protocol does not allow to recover the name of the client. As a result, you will not be able to apply Workstation restrictions with the client name. The only known case where this name is available is if your RRAS server is configured with RADIUS Authentication and RADIUS Accounting.
- The VPN client address is not provided by all RADIUS clients (hardware routers) so you may also not be able to enforce IP address restrictions.
- Multiple RADIUS servers for a single RADIUS client (hardware router) is not supported as the logon may be managed by a different agent to the logoff.
- When a VPN session is denied, the user is prompted to enter new credentials. There is currently no way to display a more intelligible message to the user.
- VPN sessions are not compatible with a forced logoff.
Currently, there is no hardware compatibility list showing all hardware routers that are compatible with UserLock. We therefore suggest you test your hardware device with UserLock.